Issue with scanner status via API request
443 views
Skip to first unread message
Laurent Jubeau
Jan 21, 2016, 10:37:19 AM1/21/16
to OWASP ZAP User Group
Hi !
I run a "ScanAsUser" scan from Zap API (either from a Python script or a Web browser with proxy configured with Zap Proxy)
In my Active Scan panel in ZAP UI 2.4.3, the progress bar raise instantly to 100% but I see the requests below during several minutes !!
If i run the same scan with the UI the progress bar raise step by step (1% then 2 % ... )
I try to :
change Scan Policy,
scan without a user,
start a new session,
restart Zap UI
without sucess.
With this issue my Python script is not able to detect correctly the scan end :
while (int(zap.ascan.status()) < 100):
print 'Scan progress %: ' + zap.ascan.status()
time.sleep(5)
It generate the report but requests are still running !
Any Idea ?
best regards,
Laurent
I run a "ScanAsUser" scan from Zap API (either from a Python script or a Web browser with proxy configured with Zap Proxy)
In my Active Scan panel in ZAP UI 2.4.3, the progress bar raise instantly to 100% but I see the requests below during several minutes !!
If i run the same scan with the UI the progress bar raise step by step (1% then 2 % ... )
I try to :
change Scan Policy,
scan without a user,
start a new session,
restart Zap UI
without sucess.
With this issue my Python script is not able to detect correctly the scan end :
while (int(zap.ascan.status()) < 100):
print 'Scan progress %: ' + zap.ascan.status()
time.sleep(5)
It generate the report but requests are still running !
Any Idea ?
best regards,
Laurent
Simon Bennetts
Jan 21, 2016, 10:57:03 AM1/21/16
to OWASP ZAP User Group
Strange, its working fine when we run ZAP against wavsep.
The script we use is https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/wavsep-1.5-spider-scan.py
However, just thought .. are you scanning more than once?
That only works if theres only ever one scan.
The zap.ascan.scan call returns a scan id.
If you call zap.ascan.status() then you'll always get the status of the first scan.
If this is the case you'll have to record the scan id returned and then specify it to get the right status: zap.ascan.status(scanid)
Cheers,
Simon
The script we use is https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/wavsep-1.5-spider-scan.py
However, just thought .. are you scanning more than once?
That only works if theres only ever one scan.
The zap.ascan.scan call returns a scan id.
If you call zap.ascan.status() then you'll always get the status of the first scan.
If this is the case you'll have to record the scan id returned and then specify it to get the right status: zap.ascan.status(scanid)
Cheers,
Simon
thc...@gmail.com
Jan 21, 2016, 10:57:19 AM1/21/16
to zaprox...@googlegroups.com
Hi.
Could you provide an excerpt (around the entries "scanner started" and
"scanner completed") of the zap.log [1] when that happens?
[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Could you provide an excerpt (around the entries "scanner started" and
"scanner completed") of the zap.log [1] when that happens?
[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Simon Bennetts
Jan 21, 2016, 11:04:56 AM1/21/16
to OWASP ZAP User Group
Correction, it should default to the last scan, not the first one :/
Either way, its safest to record the scan id and use that when checking the status.
If that doesnt work the relevant part of the script and any errors logged (as thc202 suggested) would be really useful.
Cheers,
Simon
Either way, its safest to record the scan id and use that when checking the status.
If that doesnt work the relevant part of the script and any errors logged (as thc202 suggested) would be really useful.
Cheers,
Simon
Laurent Jubeau
Jan 21, 2016, 11:27:48 AM1/21/16
to OWASP ZAP User Group
Thank you guys
I m complety new with Python so I start with the example in this page : https://github.com/zaproxy/zaproxy/wiki/ApiPython
I try to add an other line :
I m complety new with Python so I start with the example in this page : https://github.com/zaproxy/zaproxy/wiki/ApiPython
I try to add an other line :
while (int(zap.ascan.status()) < 100):
print 'Scan progress %: ' + zap.ascan.status()
time.sleep(5)
print 'Scan progress %: ' + zap.ascan.status()
And i get this : Scan progress %: 2000 and sometime this : Scan progress %: 300
Simon : yes I m scanning more than once
thc202, here are the logs :
2016-01-21 17:15:50,013 [ZAP-ProxyThread-43] INFO Scanner - scanner started
2016-01-21 17:15:50,015 [Thread-194] INFO PluginFactory - loaded plugin Path Traversal
2016-01-21 17:15:50,016 [Thread-194] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-21 17:15:50,016 [Thread-194] INFO PluginFactory - loaded plugin Server Side Include
2016-01-21 17:15:50,016 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-21 17:15:50,018 [Thread-194] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-21 17:15:50,020 [Thread-194] INFO PluginFactory - loaded plugin External Redirect
2016-01-21 17:15:50,023 [Thread-194] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-21 17:15:50,025 [Thread-194] INFO PluginFactory - loaded plugin Format String Error
2016-01-21 17:15:50,027 [Thread-194] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-21 17:15:50,029 [Thread-194] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-21 17:15:50,029 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-21 17:15:50,030 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-21 17:15:50,030 [Thread-194] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-21 17:15:50,031 [Thread-194] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-21 17:15:50,032 [Thread-194] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-21 17:15:50,033 [Thread-194] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-21 17:15:50,033 [Thread-194] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-21 17:15:50,034 [Thread-194] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-21 17:15:50,034 [Thread-194] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-21 17:15:50,034 [Thread-194] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-21 17:15:50,035 [Thread-194] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-21 17:15:50,035 [Thread-194] INFO PluginFactory - loaded plugin Session Fixation
2016-01-21 17:15:50,036 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-21 17:15:50,036 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-21 17:15:50,036 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-21 17:15:50,037 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-21 17:15:50,038 [Thread-194] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-21 17:15:50,040 [Thread-194] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-21 17:15:50,041 [Thread-194] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-21 17:15:50,042 [ZAP-ProxyThread-43] INFO Scanner - scanner stopped
2016-01-21 17:15:50,042 [Thread-194] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-21 17:15:50,043 [Thread-194] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-21 17:15:50,043 [Thread-194] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-21 17:15:50,044 [Thread-194] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-21 17:15:50,044 [Thread-194] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-21 17:15:50,046 [Thread-195] INFO HostProcess - skipped plugin http://10.6.6.97 | TestSQLInjection in 0s
2016-01-21 17:15:50,084 [Thread-195] INFO HostProcess - start host http://10.6.6.97 | SQLInjectionMySQL strength HIGH threshold MEDIUM
2016-01-21 17:15:51,643 [ZAP-ActiveScanner-0] ERROR SQLInjectionMySQL - Error occurred while scanning with variant org.parosproxy.paros.core.scanner.VariantJSONQuery
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=97
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
2016-01-21 17:15:54,202 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:54,690 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:55,176 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:55,677 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:56,168 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:56,708 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:57,228 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:57,705 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:58,196 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:58,698 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:59,178 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:59,683 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:00,305 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:00,815 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:01,288 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:01,767 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:02,256 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:02,735 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:03,244 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:03,815 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:04,313 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:04,786 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:05,273 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:05,761 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:17:07,135 [Thread-195] INFO HostProcess - completed host/plugin http://10.6.6.97 | SQLInjectionMySQL in 77.051s
2016-01-21 17:17:07,144 [Thread-195] INFO HostProcess - completed host http://10.6.6.97 in 77.099s
2016-01-21 17:17:07,148 [Thread-194] INFO Scanner - scanner completed in 77.134s
Simon : yes I m scanning more than once
thc202, here are the logs :
2016-01-21 17:15:50,013 [ZAP-ProxyThread-43] INFO Scanner - scanner started
2016-01-21 17:15:50,015 [Thread-194] INFO PluginFactory - loaded plugin Path Traversal
2016-01-21 17:15:50,016 [Thread-194] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-21 17:15:50,016 [Thread-194] INFO PluginFactory - loaded plugin Server Side Include
2016-01-21 17:15:50,016 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-21 17:15:50,017 [Thread-194] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-21 17:15:50,018 [Thread-194] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-21 17:15:50,020 [Thread-194] INFO PluginFactory - loaded plugin External Redirect
2016-01-21 17:15:50,023 [Thread-194] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-21 17:15:50,025 [Thread-194] INFO PluginFactory - loaded plugin Format String Error
2016-01-21 17:15:50,027 [Thread-194] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-21 17:15:50,029 [Thread-194] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-21 17:15:50,029 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-21 17:15:50,030 [Thread-194] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-21 17:15:50,030 [Thread-194] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-21 17:15:50,031 [Thread-194] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-21 17:15:50,032 [Thread-194] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-21 17:15:50,033 [Thread-194] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-21 17:15:50,033 [Thread-194] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-21 17:15:50,034 [Thread-194] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-21 17:15:50,034 [Thread-194] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-21 17:15:50,034 [Thread-194] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-21 17:15:50,035 [Thread-194] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-21 17:15:50,035 [Thread-194] INFO PluginFactory - loaded plugin Session Fixation
2016-01-21 17:15:50,036 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-21 17:15:50,036 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-21 17:15:50,036 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-21 17:15:50,037 [Thread-194] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-21 17:15:50,038 [Thread-194] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-21 17:15:50,040 [Thread-194] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-21 17:15:50,041 [Thread-194] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-21 17:15:50,042 [ZAP-ProxyThread-43] INFO Scanner - scanner stopped
2016-01-21 17:15:50,042 [Thread-194] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-21 17:15:50,043 [Thread-194] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-21 17:15:50,043 [Thread-194] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-21 17:15:50,044 [Thread-194] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-21 17:15:50,044 [Thread-194] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-21 17:15:50,046 [Thread-195] INFO HostProcess - skipped plugin http://10.6.6.97 | TestSQLInjection in 0s
2016-01-21 17:15:50,084 [Thread-195] INFO HostProcess - start host http://10.6.6.97 | SQLInjectionMySQL strength HIGH threshold MEDIUM
2016-01-21 17:15:51,643 [ZAP-ActiveScanner-0] ERROR SQLInjectionMySQL - Error occurred while scanning with variant org.parosproxy.paros.core.scanner.VariantJSONQuery
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=97
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
2016-01-21 17:15:54,202 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:54,690 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:55,176 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:55,677 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:56,168 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:56,708 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:57,228 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:57,705 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:58,196 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:58,698 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:59,178 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:15:59,683 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:00,305 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:00,815 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:01,288 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:01,767 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:02,256 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:02,735 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:03,244 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:03,815 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:04,313 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:04,786 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:05,273 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:16:05,761 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:17:07,135 [Thread-195] INFO HostProcess - completed host/plugin http://10.6.6.97 | SQLInjectionMySQL in 77.051s
2016-01-21 17:17:07,144 [Thread-195] INFO HostProcess - completed host http://10.6.6.97 in 77.099s
2016-01-21 17:17:07,148 [Thread-194] INFO Scanner - scanner completed in 77.134s
Laurent Jubeau
Jan 21, 2016, 11:33:05 AM1/21/16
to OWASP ZAP User Group
Same Exception with anoter Policy :
2016-01-21 17:28:42,492 [ZAP-ProxyThread-49] INFO Scanner - scanner started
2016-01-21 17:28:42,499 [Thread-230] INFO PluginFactory - loaded plugin Path Traversal
2016-01-21 17:28:42,503 [Thread-230] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-21 17:28:42,509 [Thread-230] INFO PluginFactory - loaded plugin Server Side Include
2016-01-21 17:28:42,511 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-21 17:28:42,515 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-21 17:28:42,516 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection
2016-01-21 17:28:42,516 [Thread-230] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-21 17:28:42,517 [Thread-230] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-21 17:28:42,518 [Thread-230] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-21 17:28:42,519 [Thread-230] INFO PluginFactory - loaded plugin External Redirect
2016-01-21 17:28:42,520 [Thread-230] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-21 17:28:42,521 [Thread-230] INFO PluginFactory - loaded plugin Format String Error
2016-01-21 17:28:42,522 [Thread-230] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-21 17:28:42,523 [Thread-230] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-21 17:28:42,523 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-21 17:28:42,524 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-21 17:28:42,524 [Thread-230] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-21 17:28:42,524 [Thread-230] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-21 17:28:42,530 [Thread-230] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-21 17:28:42,530 [Thread-230] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-21 17:28:42,531 [Thread-230] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-21 17:28:42,531 [Thread-230] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-21 17:28:42,531 [Thread-230] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-21 17:28:42,532 [Thread-230] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-21 17:28:42,532 [Thread-230] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-21 17:28:42,532 [Thread-230] INFO PluginFactory - loaded plugin Session Fixation
2016-01-21 17:28:42,534 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-21 17:28:42,535 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-21 17:28:42,536 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-21 17:28:42,543 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-21 17:28:42,545 [Thread-230] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-21 17:28:42,546 [ZAP-ProxyThread-49] INFO Scanner - scanner stopped
2016-01-21 17:28:42,549 [Thread-230] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-21 17:28:42,551 [Thread-230] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-21 17:28:42,552 [Thread-230] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-21 17:28:42,554 [Thread-230] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-21 17:28:42,555 [Thread-230] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-21 17:28:42,555 [Thread-230] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-21 17:28:42,558 [Thread-230] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-21 17:28:42,561 [Thread-231] INFO HostProcess - start host http://10.6.6.97 | BufferOverflow strength HIGH threshold MEDIUM
2016-01-21 17:28:43,273 [ZAP-ActiveScanner-0] ERROR BufferOverflow - Error occurred while scanning with variant org.parosproxy.paros.core.scanner.VariantJSONQuery
2016-01-21 17:28:42,492 [ZAP-ProxyThread-49] INFO Scanner - scanner started
2016-01-21 17:28:42,499 [Thread-230] INFO PluginFactory - loaded plugin Path Traversal
2016-01-21 17:28:42,503 [Thread-230] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-21 17:28:42,509 [Thread-230] INFO PluginFactory - loaded plugin Server Side Include
2016-01-21 17:28:42,511 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-21 17:28:42,515 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-21 17:28:42,516 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection
2016-01-21 17:28:42,516 [Thread-230] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-21 17:28:42,517 [Thread-230] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-21 17:28:42,518 [Thread-230] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-21 17:28:42,519 [Thread-230] INFO PluginFactory - loaded plugin External Redirect
2016-01-21 17:28:42,520 [Thread-230] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-21 17:28:42,521 [Thread-230] INFO PluginFactory - loaded plugin Format String Error
2016-01-21 17:28:42,522 [Thread-230] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-21 17:28:42,523 [Thread-230] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-21 17:28:42,523 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-21 17:28:42,524 [Thread-230] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-21 17:28:42,524 [Thread-230] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-21 17:28:42,524 [Thread-230] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-21 17:28:42,530 [Thread-230] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-21 17:28:42,530 [Thread-230] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-21 17:28:42,531 [Thread-230] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-21 17:28:42,531 [Thread-230] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-21 17:28:42,531 [Thread-230] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-21 17:28:42,532 [Thread-230] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-21 17:28:42,532 [Thread-230] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-21 17:28:42,532 [Thread-230] INFO PluginFactory - loaded plugin Session Fixation
2016-01-21 17:28:42,534 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-21 17:28:42,535 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-21 17:28:42,536 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-21 17:28:42,543 [Thread-230] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-21 17:28:42,545 [Thread-230] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-21 17:28:42,546 [ZAP-ProxyThread-49] INFO Scanner - scanner stopped
2016-01-21 17:28:42,549 [Thread-230] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-21 17:28:42,551 [Thread-230] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-21 17:28:42,552 [Thread-230] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-21 17:28:42,554 [Thread-230] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-21 17:28:42,555 [Thread-230] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-21 17:28:42,555 [Thread-230] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-21 17:28:42,558 [Thread-230] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-21 17:28:42,561 [Thread-231] INFO HostProcess - start host http://10.6.6.97 | BufferOverflow strength HIGH threshold MEDIUM
2016-01-21 17:28:43,273 [ZAP-ActiveScanner-0] ERROR BufferOverflow - Error occurred while scanning with variant org.parosproxy.paros.core.scanner.VariantJSONQuery
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=97
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
2016-01-21 17:28:43,986 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
2016-01-21 17:28:52,511 [Thread-231] INFO HostProcess - completed host/plugin http://10.6.6.97 | BufferOverflow in 9.95s
2016-01-21 17:28:52,525 [Thread-231] INFO HostProcess - completed host http://10.6.6.97 in 9.964s
2016-01-21 17:28:52,527 [Thread-230] INFO Scanner - scanner completed in 10.034s
2016-01-21 17:28:52,511 [Thread-231] INFO HostProcess - completed host/plugin http://10.6.6.97 | BufferOverflow in 9.95s
2016-01-21 17:28:52,525 [Thread-231] INFO HostProcess - completed host http://10.6.6.97 in 9.964s
2016-01-21 17:28:52,527 [Thread-230] INFO Scanner - scanner completed in 10.034s
Le jeudi 21 janvier 2016 16:37:19 UTC+1, Laurent Jubeau a écrit :
Laurent Jubeau
Jan 21, 2016, 11:39:10 AM1/21/16
to OWASP ZAP User Group
Complete .py :
#!/usr/bin/env python
# coding=utf-8
import time
from pprint import pprint
from zapv2 import ZAPv2
#####Infos a configurer pour le Scanner #####
target='http://10.6.6.97/api' # URL a scanner
contextID=2 #Id du context dans la session
userID=3 #Id de l'utilisateur dans le context
#scanPolicyName='SQLI High avec Beta'
#scanPolicyName='SQLI Medium sans beta'
#scanPolicyName='SQLI MySql Beta seule'
scanPolicyName='BufferOverflow'
apiKey='lsir0nkrga22d52uln34o94al2'
#############################################
#zap = ZAPv2()
# Use the line below if ZAP is not listening on 8090
zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8888', 'https': 'http://127.0.0.1:8888'})
# do stuff
print 'reset Alerts'
#zap.core.delete_all_alerts(apiKey)
print 'Scanning target %s' % target
#zap.ascan.scan(target,apikey='lsir0nkrga22d52uln34o94al2')
zap.ascan.scan_as_user(target,2,3,scanpolicyname=scanPolicyName,apikey=apiKey)
#!/usr/bin/env python
# coding=utf-8
import time
from pprint import pprint
from zapv2 import ZAPv2
#####Infos a configurer pour le Scanner #####
target='http://10.6.6.97/api' # URL a scanner
contextID=2 #Id du context dans la session
userID=3 #Id de l'utilisateur dans le context
#scanPolicyName='SQLI High avec Beta'
#scanPolicyName='SQLI Medium sans beta'
#scanPolicyName='SQLI MySql Beta seule'
scanPolicyName='BufferOverflow'
apiKey='lsir0nkrga22d52uln34o94al2'
#############################################
#zap = ZAPv2()
# Use the line below if ZAP is not listening on 8090
zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8888', 'https': 'http://127.0.0.1:8888'})
# do stuff
print 'reset Alerts'
#zap.core.delete_all_alerts(apiKey)
print 'Scanning target %s' % target
#zap.ascan.scan(target,apikey='lsir0nkrga22d52uln34o94al2')
zap.ascan.scan_as_user(target,2,3,scanpolicyname=scanPolicyName,apikey=apiKey)
while (int(zap.ascan.status()) < 100):
print 'Scan progress %: ' + zap.ascan.status()
time.sleep(5)
print 'Scan progress %: ' + zap.ascan.status()
print 'Scan completed'
# Report the results
#print 'Alerts: '
#pprint (zap.core.alerts())
# Create HTML report
with open('D:\lju\python\RapportZAP.html', 'w') as file_:
file_.write(zap.core.htmlreport(apiKey))
# Report the results
#print 'Alerts: '
#pprint (zap.core.alerts())
# Create HTML report
with open('D:\lju\python\RapportZAP.html', 'w') as file_:
file_.write(zap.core.htmlreport(apiKey))
thc...@gmail.com
Jan 21, 2016, 12:15:29 PM1/21/16
to zaprox...@googlegroups.com
Hmm, something is stopping the scan:
Doesn't look like but something is stopping it :/
Best regards.
2016-01-21 17:28:42,546 [ZAP-ProxyThread-49] INFO Scanner - scanner stopped
Does your script stop the scans?
Doesn't look like but something is stopping it :/
Best regards.
Laurent Jubeau
Jan 21, 2016, 1:50:47 PM1/21/16
to OWASP ZAP User Group
nope.
And all requests are still running. :
2016-01-21 17:16:03,815 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
are the logs from my authentication script.
And all requests are still running. :
2016-01-21 17:16:03,815 [ZAP-ActiveScanner-0] INFO User - Authenticating user: Admin
are the logs from my authentication script.
Laurent Jubeau
Jan 22, 2016, 3:33:01 AM1/22/16
to OWASP ZAP User Group
Hi
A try to scan WAVSEP with same issue (progress bar doesnt raise up to 100% instantly but very quickly (1s ?) : 10% 30% 50% 70% 90% 100%.)
Then I try this :
while (1 < 100):
print 'Scan progress %: ' + zap.ascan.status(scanId)
time.sleep(5)
Scanning target http://localhost:8080/wavsep
ScanId 2
Scan progress %: 290
Scan progress %: 550
Scan progress %: 800
Scan progress %: 1040
Scan progress %: 1300
Scan progress %: 1580
Scan progress %: 1830
Scan progress %: 2080
Scan progress %: 100 <= No more request in ZAP UI here
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Then I Ctrl+C
I change my script this way and it works :
while (int(zap.ascan.status(scanId)) != 100):
print 'Scan progress %: ' + zap.ascan.status(scanId)
time.sleep(5)
But it is a strange behaviour ... (Bug ?)
Thank you guys for helping !
A try to scan WAVSEP with same issue (progress bar doesnt raise up to 100% instantly but very quickly (1s ?) : 10% 30% 50% 70% 90% 100%.)
Then I try this :
while (1 < 100):
print 'Scan progress %: ' + zap.ascan.status(scanId)
time.sleep(5)
Scanning target http://localhost:8080/wavsep
ScanId 2
Scan progress %: 290
Scan progress %: 550
Scan progress %: 800
Scan progress %: 1040
Scan progress %: 1300
Scan progress %: 1580
Scan progress %: 1830
Scan progress %: 2080
Scan progress %: 100 <= No more request in ZAP UI here
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Scan progress %: 100
Then I Ctrl+C
I change my script this way and it works :
while (int(zap.ascan.status(scanId)) != 100):
print 'Scan progress %: ' + zap.ascan.status(scanId)
time.sleep(5)
But it is a strange behaviour ... (Bug ?)
Thank you guys for helping !
thc...@gmail.com
Jan 22, 2016, 4:12:13 AM1/22/16
to zaprox...@googlegroups.com
Hi.
Yeah, very strange indeed.
Could you run the following "Stand Alone" JavaScript script:
var lvl = org.apache.log4j.Level.DEBUG
org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.ascan").setLevel(lvl)
org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.api").setLevel(lvl)
org.apache.log4j.Logger.getLogger("org.parosproxy.paros.core.scanner").setLevel(lvl)
and after that run your script?
The log should contain more information, hopefully clues to what the
problem is.
Note that it will log a lot of things, so you might want to stop the
scan manually.
The interesting bits should be between:
DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest
http://zap/JSON/ascan/action/scan/?url=...
and
INFO org.parosproxy.paros.core.scanner.HostProcess - start host
Best regards.
On 22/01/16 08:33, Laurent Jubeau wrote:
> Hi
>
> A try to scan WAVSEP with same issue (progress bar doesnt raise up to
> 100% instantly but very quickly (1s ?) : 10% 30% 50% 70% 90% 100%.)
>
> Then I try this :
>
>
> while (*1 < 100*):
Yeah, very strange indeed.
Could you run the following "Stand Alone" JavaScript script:
var lvl = org.apache.log4j.Level.DEBUG
org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.ascan").setLevel(lvl)
org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.api").setLevel(lvl)
org.apache.log4j.Logger.getLogger("org.parosproxy.paros.core.scanner").setLevel(lvl)
and after that run your script?
The log should contain more information, hopefully clues to what the
problem is.
Note that it will log a lot of things, so you might want to stop the
scan manually.
The interesting bits should be between:
DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest
http://zap/JSON/ascan/action/scan/?url=...
and
INFO org.parosproxy.paros.core.scanner.HostProcess - start host
Best regards.
On 22/01/16 08:33, Laurent Jubeau wrote:
> Hi
>
> A try to scan WAVSEP with same issue (progress bar doesnt raise up to
> 100% instantly but very quickly (1s ?) : 10% 30% 50% 70% 90% 100%.)
>
> Then I try this :
>
>
> print 'Scan progress %: ' + zap.ascan.status(scanId)
> time.sleep(5)
>
> Scanning target http://localhost:8080/wavsep
> ScanId 2
> Scan progress %: 290
> Scan progress %: 550
> Scan progress %: 800
> Scan progress %: 1040
> Scan progress %: 1300
> Scan progress %: 1580
> Scan progress %: 1830
> Scan progress %: 2080
> Scan progress %: 100 <= No more request in ZAP UI here
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
>
> Then I Ctrl+C
>
> I change my script this way and it works :
>
> while (int(zap.ascan.status(scanId))*!=* 100):
> time.sleep(5)
>
> Scanning target http://localhost:8080/wavsep
> ScanId 2
> Scan progress %: 290
> Scan progress %: 550
> Scan progress %: 800
> Scan progress %: 1040
> Scan progress %: 1300
> Scan progress %: 1580
> Scan progress %: 1830
> Scan progress %: 2080
> Scan progress %: 100 <= No more request in ZAP UI here
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
> Scan progress %: 100
>
> Then I Ctrl+C
>
> I change my script this way and it works :
>
> print 'Scan progress %: ' + zap.ascan.status(scanId)
> time.sleep(5)
>
>
> But it is a strange behaviour ... (Bug ?)
>
> Thank you guys for helping !
>
>
> time.sleep(5)
>
>
> But it is a strange behaviour ... (Bug ?)
>
> Thank you guys for helping !
>
>
Laurent Jubeau
Jan 22, 2016, 4:27:01 AM1/22/16
to OWASP ZAP User Group
Laurent Jubeau
Jan 22, 2016, 4:36:34 AM1/22/16
to OWASP ZAP User Group
Found it :) : just on top bar of "Script Console Panel"
Logs (some more lines than requested so that you see the first API - handleApiRequest returning: {"status":"233"} )
2016-01-22 10:31:12,726 [ZAP-ProxyThread-85] DEBUG API - handleApiRequest http://zap/JSON/ascan/action/scan/?url=http%3A%2F%2Flocalhost%3A8080%2Fwavsep&apikey=lsir0nkrga22d52uln34o94al2&scanPolicyName=BufferOverflow
2016-01-22 10:31:12,727 [ZAP-ProxyThread-85] DEBUG ActiveScanAPI - handleApiAction scan {"url":"http://localhost:8080/wavsep","apikey":"lsir0nkrga22d52uln34o94al2","scanPolicyName":"BufferOverflow"}
2016-01-22 10:31:12,727 [ZAP-ProxyThread-85] DEBUG ActiveScanAPI - handleApiAction scan policy =BufferOverflow
2016-01-22 10:31:12,760 [ZAP-ProxyThread-85] DEBUG PluginFactory - loadAllPlugin
2016-01-22 10:31:12,760 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Path Traversal
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Server Side Include
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin External Redirect
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=MEDIUM Strength=HIGH
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Format String Error
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Session Fixation
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-22 10:31:12,776 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,776 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-22 10:31:12,776 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,777 [ZAP-ProxyThread-85] DEBUG ActiveScanController - Setting custom policy BufferOverflow
2016-01-22 10:31:12,777 [ZAP-ProxyThread-85] INFO Scanner - scanner started
2016-01-22 10:31:12,779 [Thread-75] INFO PluginFactory - loaded plugin Path Traversal
2016-01-22 10:31:12,780 [Thread-75] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-22 10:31:12,781 [Thread-75] INFO PluginFactory - loaded plugin Server Side Include
2016-01-22 10:31:12,782 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-22 10:31:12,782 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-22 10:31:12,783 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection
2016-01-22 10:31:12,784 [Thread-75] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-22 10:31:12,787 [Thread-75] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-22 10:31:12,789 [Thread-75] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-22 10:31:12,790 [Thread-75] INFO PluginFactory - loaded plugin External Redirect
2016-01-22 10:31:12,793 [Thread-75] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-22 10:31:12,794 [Thread-75] INFO PluginFactory - loaded plugin Format String Error
2016-01-22 10:31:12,795 [Thread-75] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-22 10:31:12,795 [Thread-75] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-22 10:31:12,796 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-22 10:31:12,797 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-22 10:31:12,799 [Thread-75] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-22 10:31:12,800 [Thread-75] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-22 10:31:12,800 [Thread-75] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-22 10:31:12,801 [Thread-75] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-22 10:31:12,801 [Thread-75] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-22 10:31:12,801 [Thread-75] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-22 10:31:12,803 [Thread-75] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-22 10:31:12,804 [Thread-75] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-22 10:31:12,805 [Thread-75] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-22 10:31:12,806 [Thread-75] INFO PluginFactory - loaded plugin Session Fixation
2016-01-22 10:31:12,807 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-22 10:31:12,807 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-22 10:31:12,808 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-22 10:31:12,809 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-22 10:31:12,810 [Thread-75] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-22 10:31:12,810 [Thread-75] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-22 10:31:12,811 [Thread-75] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-22 10:31:12,811 [Thread-75] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-22 10:31:12,811 [Thread-75] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-22 10:31:12,812 [Thread-75] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-22 10:31:12,812 [Thread-75] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-22 10:31:12,812 [Thread-75] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-22 10:31:12,814 [Thread-76] DEBUG HostProcess - HostProcess.run
2016-01-22 10:31:12,815 [Thread-76] INFO HostProcess - start host http://localhost:8080 | BufferOverflow strength HIGH threshold MEDIUM
2016-01-22 10:31:12,816 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep
2016-01-22 10:31:12,816 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep
2016-01-22 10:31:12,838 [Thread-76] DEBUG HostProcess - traverse: including related sibling http://localhost:8080/wavsep
2016-01-22 10:31:12,839 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active
2016-01-22 10:31:12,839 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active
2016-01-22 10:31:12,871 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection
2016-01-22 10:31:12,872 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection
2016-01-22 10:31:12,884 [ZAP-ProxyThread-85] DEBUG API - handleApiRequest returning: {"scan":"1"}
2016-01-22 10:31:12,941 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error
2016-01-22 10:31:12,942 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error
2016-01-22 10:31:13,145 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case19-InjectionInUpdate-NumericWithoutQuotes-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:13,146 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case19-InjectionInUpdate-NumericWithoutQuotes-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:13,150 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case18-InjectionInCalc-NumericWithoutQuotes-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:13,151 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case18-InjectionInCalc-NumericWithoutQuotes-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:13,767 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case17-InjectionInSearch-NumericWithoutQuotes-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:13,768 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case17-InjectionInSearch-NumericWithoutQuotes-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:14,172 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case16-InjectionInView-NumericWithoutQuotes-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:14,173 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case16-InjectionInView-NumericWithoutQuotes-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:14,377 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case15-InjectionInSearch-DateWithoutQuotes-UnionExploit-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,378 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case15-InjectionInSearch-DateWithoutQuotes-UnionExploit-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,781 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case14-InjectionInUpdate-Date-CommandInjection-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,781 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case14-InjectionInUpdate-Date-CommandInjection-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,983 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case13-InjectionInCalc-Date-BooleanExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:14,985 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case13-InjectionInCalc-Date-BooleanExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,388 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case12-InjectionInSearch-Date-UnionExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,389 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case12-InjectionInSearch-Date-UnionExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,596 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case11-InjectionInView-Date-PermissionBypass-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,596 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case11-InjectionInView-Date-PermissionBypass-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,998 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case10-InjectionInSearchOrderBy-Numeric-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=1
2016-01-22 10:31:15,998 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case10-InjectionInSearchOrderBy-Numeric-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=1
2016-01-22 10:31:16,200 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case09-InjectionInUpdate-Numeric-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:16,201 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case09-InjectionInUpdate-Numeric-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:16,406 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case08-InjectionInCalc-Numeric-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:16,407 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case08-InjectionInCalc-Numeric-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:16,610 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case07-InjectionInSearch-Numeric-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:16,610 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case07-InjectionInSearch-Numeric-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:16,813 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case06-InjectionInView-Numeric-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:16,815 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case06-InjectionInView-Numeric-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:17,021 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case05-InjectionInSearchOrderBy-String-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=msgid
2016-01-22 10:31:17,022 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case05-InjectionInSearchOrderBy-String-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=msgid
2016-01-22 10:31:17,226 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case04-InjectionInUpdate-String-CommandInjection-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,226 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case04-InjectionInUpdate-String-CommandInjection-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,430 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case03-InjectionInCalc-String-BooleanExploit-With200Errors.jsp?username=textvalue
2016-01-22 10:31:17,431 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case03-InjectionInCalc-String-BooleanExploit-With200Errors.jsp?username=textvalue
2016-01-22 10:31:17,636 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case02-InjectionInSearch-String-UnionExploit-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,636 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case02-InjectionInSearch-String-UnionExploit-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,838 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case01-InjectionInLogin-String-LoginBypass-With200Errors.jsp?password=textvalue2&username=textvalue
2016-01-22 10:31:17,839 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case01-InjectionInLogin-String-LoginBypass-With200Errors.jsp?password=textvalue2&username=textvalue
2016-01-22 10:31:17,902 [ZAP-ProxyThread-86] DEBUG API - handleApiRequest http://zap/JSON/ascan/view/status/?scanId=1
2016-01-22 10:31:17,904 [ZAP-ProxyThread-86] DEBUG API - handleApiRequest returning: {"status":"233"}
Logs (some more lines than requested so that you see the first API - handleApiRequest returning: {"status":"233"} )
2016-01-22 10:31:12,726 [ZAP-ProxyThread-85] DEBUG API - handleApiRequest http://zap/JSON/ascan/action/scan/?url=http%3A%2F%2Flocalhost%3A8080%2Fwavsep&apikey=lsir0nkrga22d52uln34o94al2&scanPolicyName=BufferOverflow
2016-01-22 10:31:12,727 [ZAP-ProxyThread-85] DEBUG ActiveScanAPI - handleApiAction scan {"url":"http://localhost:8080/wavsep","apikey":"lsir0nkrga22d52uln34o94al2","scanPolicyName":"BufferOverflow"}
2016-01-22 10:31:12,727 [ZAP-ProxyThread-85] DEBUG ActiveScanAPI - handleApiAction scan policy =BufferOverflow
2016-01-22 10:31:12,760 [ZAP-ProxyThread-85] DEBUG PluginFactory - loadAllPlugin
2016-01-22 10:31:12,760 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Path Traversal
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,761 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Server Side Include
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-22 10:31:12,762 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,763 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin External Redirect
2016-01-22 10:31:12,764 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=MEDIUM Strength=HIGH
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Format String Error
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,765 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-22 10:31:12,766 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-22 10:31:12,767 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-22 10:31:12,768 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-22 10:31:12,769 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,770 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Session Fixation
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-22 10:31:12,771 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,772 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-22 10:31:12,773 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-22 10:31:12,774 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,775 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-22 10:31:12,776 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,776 [ZAP-ProxyThread-85] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-22 10:31:12,776 [ZAP-ProxyThread-85] DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM
2016-01-22 10:31:12,777 [ZAP-ProxyThread-85] DEBUG ActiveScanController - Setting custom policy BufferOverflow
2016-01-22 10:31:12,777 [ZAP-ProxyThread-85] INFO Scanner - scanner started
2016-01-22 10:31:12,779 [Thread-75] INFO PluginFactory - loaded plugin Path Traversal
2016-01-22 10:31:12,780 [Thread-75] INFO PluginFactory - loaded plugin Remote File Inclusion
2016-01-22 10:31:12,781 [Thread-75] INFO PluginFactory - loaded plugin Server Side Include
2016-01-22 10:31:12,782 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Reflected)
2016-01-22 10:31:12,782 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent)
2016-01-22 10:31:12,783 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection
2016-01-22 10:31:12,784 [Thread-75] INFO PluginFactory - loaded plugin Server Side Code Injection
2016-01-22 10:31:12,787 [Thread-75] INFO PluginFactory - loaded plugin Remote OS Command Injection
2016-01-22 10:31:12,789 [Thread-75] INFO PluginFactory - loaded plugin Directory Browsing
2016-01-22 10:31:12,790 [Thread-75] INFO PluginFactory - loaded plugin External Redirect
2016-01-22 10:31:12,793 [Thread-75] INFO PluginFactory - loaded plugin Buffer Overflow
2016-01-22 10:31:12,794 [Thread-75] INFO PluginFactory - loaded plugin Format String Error
2016-01-22 10:31:12,795 [Thread-75] INFO PluginFactory - loaded plugin CRLF Injection
2016-01-22 10:31:12,795 [Thread-75] INFO PluginFactory - loaded plugin Parameter Tampering
2016-01-22 10:31:12,796 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
2016-01-22 10:31:12,797 [Thread-75] INFO PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
2016-01-22 10:31:12,799 [Thread-75] INFO PluginFactory - loaded plugin Script Active Scan Rules
2016-01-22 10:31:12,800 [Thread-75] INFO PluginFactory - loaded plugin Source Code Disclosure - SVN
2016-01-22 10:31:12,800 [Thread-75] INFO PluginFactory - loaded plugin Source Code Disclosure - /WEB-INF folder
2016-01-22 10:31:12,801 [Thread-75] INFO PluginFactory - loaded plugin Remote Code Execution - Shell Shock
2016-01-22 10:31:12,801 [Thread-75] INFO PluginFactory - loaded plugin Anti CSRF Tokens Scanner
2016-01-22 10:31:12,801 [Thread-75] INFO PluginFactory - loaded plugin Heartbleed OpenSSL Vulnerability
2016-01-22 10:31:12,803 [Thread-75] INFO PluginFactory - loaded plugin Cross-Domain Misconfiguration
2016-01-22 10:31:12,804 [Thread-75] INFO PluginFactory - loaded plugin Source Code Disclosure - CVE-2012-1823
2016-01-22 10:31:12,805 [Thread-75] INFO PluginFactory - loaded plugin Remote Code Execution - CVE-2012-1823
2016-01-22 10:31:12,806 [Thread-75] INFO PluginFactory - loaded plugin Session Fixation
2016-01-22 10:31:12,807 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - MySQL
2016-01-22 10:31:12,807 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - Hypersonic SQL
2016-01-22 10:31:12,808 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - Oracle
2016-01-22 10:31:12,809 [Thread-75] INFO PluginFactory - loaded plugin SQL Injection - PostgreSQL
2016-01-22 10:31:12,810 [Thread-75] INFO PluginFactory - loaded plugin XPath Injection Plugin
2016-01-22 10:31:12,810 [Thread-75] INFO PluginFactory - loaded plugin XML External Entity Attack
2016-01-22 10:31:12,811 [Thread-75] INFO PluginFactory - loaded plugin Generic Padding Oracle
2016-01-22 10:31:12,811 [Thread-75] INFO PluginFactory - loaded plugin Expression Language Injection
2016-01-22 10:31:12,811 [Thread-75] INFO PluginFactory - loaded plugin Backup File Disclosure
2016-01-22 10:31:12,812 [Thread-75] INFO PluginFactory - loaded plugin Insecure HTTP Method
2016-01-22 10:31:12,812 [Thread-75] INFO PluginFactory - loaded plugin HTTP Parameter Pollution scanner
2016-01-22 10:31:12,812 [Thread-75] INFO PluginFactory - loaded plugin Possible Username Enumeration
2016-01-22 10:31:12,814 [Thread-76] DEBUG HostProcess - HostProcess.run
2016-01-22 10:31:12,815 [Thread-76] INFO HostProcess - start host http://localhost:8080 | BufferOverflow strength HIGH threshold MEDIUM
2016-01-22 10:31:12,816 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep
2016-01-22 10:31:12,816 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep
2016-01-22 10:31:12,838 [Thread-76] DEBUG HostProcess - traverse: including related sibling http://localhost:8080/wavsep
2016-01-22 10:31:12,839 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active
2016-01-22 10:31:12,839 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active
2016-01-22 10:31:12,871 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection
2016-01-22 10:31:12,872 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection
2016-01-22 10:31:12,884 [ZAP-ProxyThread-85] DEBUG API - handleApiRequest returning: {"scan":"1"}
2016-01-22 10:31:12,941 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error
2016-01-22 10:31:12,942 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error
2016-01-22 10:31:13,145 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case19-InjectionInUpdate-NumericWithoutQuotes-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:13,146 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case19-InjectionInUpdate-NumericWithoutQuotes-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:13,150 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case18-InjectionInCalc-NumericWithoutQuotes-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:13,151 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case18-InjectionInCalc-NumericWithoutQuotes-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:13,767 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case17-InjectionInSearch-NumericWithoutQuotes-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:13,768 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case17-InjectionInSearch-NumericWithoutQuotes-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:14,172 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case16-InjectionInView-NumericWithoutQuotes-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:14,173 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case16-InjectionInView-NumericWithoutQuotes-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:14,377 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case15-InjectionInSearch-DateWithoutQuotes-UnionExploit-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,378 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case15-InjectionInSearch-DateWithoutQuotes-UnionExploit-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,781 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case14-InjectionInUpdate-Date-CommandInjection-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,781 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case14-InjectionInUpdate-Date-CommandInjection-With200Errors.jsp?transactionDate=2010-02-02
2016-01-22 10:31:14,983 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case13-InjectionInCalc-Date-BooleanExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:14,985 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case13-InjectionInCalc-Date-BooleanExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,388 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case12-InjectionInSearch-Date-UnionExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,389 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case12-InjectionInSearch-Date-UnionExploit-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,596 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case11-InjectionInView-Date-PermissionBypass-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,596 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case11-InjectionInView-Date-PermissionBypass-With200Errors.jsp?transactionDate=2010-01-01
2016-01-22 10:31:15,998 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case10-InjectionInSearchOrderBy-Numeric-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=1
2016-01-22 10:31:15,998 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case10-InjectionInSearchOrderBy-Numeric-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=1
2016-01-22 10:31:16,200 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case09-InjectionInUpdate-Numeric-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:16,201 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case09-InjectionInUpdate-Numeric-CommandInjection-With200Errors.jsp?msgid=1
2016-01-22 10:31:16,406 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case08-InjectionInCalc-Numeric-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:16,407 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case08-InjectionInCalc-Numeric-BooleanExploit-With200Errors.jsp?minBalanace=10000
2016-01-22 10:31:16,610 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case07-InjectionInSearch-Numeric-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:16,610 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case07-InjectionInSearch-Numeric-UnionExploit-With200Errors.jsp?msgId=1
2016-01-22 10:31:16,813 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case06-InjectionInView-Numeric-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:16,815 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case06-InjectionInView-Numeric-PermissionBypass-With200Errors.jsp?transactionId=132
2016-01-22 10:31:17,021 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case05-InjectionInSearchOrderBy-String-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=msgid
2016-01-22 10:31:17,022 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case05-InjectionInSearchOrderBy-String-BinaryDeliberateRuntimeError-With200Errors.jsp?orderby=msgid
2016-01-22 10:31:17,226 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case04-InjectionInUpdate-String-CommandInjection-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,226 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case04-InjectionInUpdate-String-CommandInjection-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,430 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case03-InjectionInCalc-String-BooleanExploit-With200Errors.jsp?username=textvalue
2016-01-22 10:31:17,431 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case03-InjectionInCalc-String-BooleanExploit-With200Errors.jsp?username=textvalue
2016-01-22 10:31:17,636 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case02-InjectionInSearch-String-UnionExploit-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,636 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case02-InjectionInSearch-String-UnionExploit-With200Errors.jsp?msg=textvalue
2016-01-22 10:31:17,838 [Thread-76] DEBUG HostProcess - traverse: plugin=Buffer Overflow url=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case01-InjectionInLogin-String-LoginBypass-With200Errors.jsp?password=textvalue2&username=textvalue
2016-01-22 10:31:17,839 [Thread-76] DEBUG HostProcess - scanSingleNode node plugin=Buffer Overflow node=http://localhost:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Error/Case01-InjectionInLogin-String-LoginBypass-With200Errors.jsp?password=textvalue2&username=textvalue
2016-01-22 10:31:17,902 [ZAP-ProxyThread-86] DEBUG API - handleApiRequest http://zap/JSON/ascan/view/status/?scanId=1
2016-01-22 10:31:17,904 [ZAP-ProxyThread-86] DEBUG API - handleApiRequest returning: {"status":"233"}
thc...@gmail.com
Jan 22, 2016, 4:36:45 AM1/22/16
to zaprox...@googlegroups.com
You can run "Stand Alone" scripts using the "Script Console" tab. [1]
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsConsole
Best regards.
On 22/01/16 09:27, Laurent Jubeau wrote:
> Wrote the Script but how can I run it ?
>
> Le vendredi 22 janvier 2016 10:12:13 UTC+1, thc202 a écrit :
>
> Hi.
>
> Yeah, very strange indeed.
>
> Could you run the following "Stand Alone" JavaScript script:
> var lvl = org.apache.log4j.Level.DEBUG
> org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.ascan").setLevel(lvl)
>
> org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.api").setLevel(lvl)
>
> org.apache.log4j.Logger.getLogger("org.parosproxy.paros.core.scanner").setLevel(lvl)
>
>
>
> and after that run your script?
> The log should contain more information, hopefully clues to what the
> problem is.
> Note that it will log a lot of things, so you might want to stop the
> scan manually.
> The interesting bits should be between:
> DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest
> http://zap/JSON/ascan/action/scan/?url=.
> <http://zap/JSON/ascan/action/scan/?url=.>..
> > <mailto:zaproxy-user...@googlegroups.com>.
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsConsole
Best regards.
On 22/01/16 09:27, Laurent Jubeau wrote:
> Wrote the Script but how can I run it ?
>
> Le vendredi 22 janvier 2016 10:12:13 UTC+1, thc202 a écrit :
>
> Hi.
>
> Yeah, very strange indeed.
>
> Could you run the following "Stand Alone" JavaScript script:
> var lvl = org.apache.log4j.Level.DEBUG
> org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.ascan").setLevel(lvl)
>
> org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.api").setLevel(lvl)
>
> org.apache.log4j.Logger.getLogger("org.parosproxy.paros.core.scanner").setLevel(lvl)
>
>
>
> and after that run your script?
> The log should contain more information, hopefully clues to what the
> problem is.
> Note that it will log a lot of things, so you might want to stop the
> scan manually.
> The interesting bits should be between:
> DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest
> http://zap/JSON/ascan/action/scan/?url=.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
Laurent Jubeau
Jan 22, 2016, 4:44:54 AM1/22/16
to OWASP ZAP User Group
Yep :) Post the logs just before !
kingthorin+owaspzap
Jan 22, 2016, 5:20:19 AM1/22/16
to OWASP ZAP User Group
Your scan policy =BufferOverflow has almost everything turned off, eg: DEBUG PluginFactory - Theshold=OFF Strength=MEDIUM....was that intentional?
So looking at your logs above it seems that the Bufferoverflow scanner ran from ~31.12 to ~31.17....about 5 sec, it may be finishing just before your sleep timer.....
So looking at your logs above it seems that the Bufferoverflow scanner ran from ~31.12 to ~31.17....about 5 sec, it may be finishing just before your sleep timer.....
Laurent Jubeau
Jan 22, 2016, 5:57:58 AM1/22/16
to OWASP ZAP User Group
Yes that was intentional : I need a quick scan to test my Python script.
No it take more than 5 sec.
The logs are partial, you said the interesting thing shoudl be between "
DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/JSON/ascan/action/scan/?url=...
Here are the last messages :
2016-01-22 10:32:00,295 [Thread-76] INFO HostProcess - completed host/plugin http://localhost:8080 | BufferOverflow in 47.48s
2016-01-22 10:32:00,297 [Thread-76] DEBUG ActiveScan - Plugin 30001 total # reqs: 158
2016-01-22 10:32:00,310 [Thread-76] INFO HostProcess - completed host http://localhost:8080 in 47.496s
2016-01-22 10:32:00,311 [Thread-75] INFO Scanner - scanner completed in 47.534s
My Python outpout :
No it take more than 5 sec.
The logs are partial, you said the interesting thing shoudl be between "
DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/JSON/ascan/action/scan/?url=...
and
INFO org.parosproxy.paros.core.scanner.HostProcess - start host" so i didnt put the whole logs. (Do you need them ?)
INFO org.parosproxy.paros.core.scanner.HostProcess - start host" so i didnt put the whole logs. (Do you need them ?)
Here are the last messages :
2016-01-22 10:32:00,295 [Thread-76] INFO HostProcess - completed host/plugin http://localhost:8080 | BufferOverflow in 47.48s
2016-01-22 10:32:00,297 [Thread-76] DEBUG ActiveScan - Plugin 30001 total # reqs: 158
2016-01-22 10:32:00,310 [Thread-76] INFO HostProcess - completed host http://localhost:8080 in 47.496s
2016-01-22 10:32:00,311 [Thread-75] INFO Scanner - scanner completed in 47.534s
My Python outpout :
ScanId 1
Scan progress %: 233
Scan progress %: 522
Scan progress %: 733
Scan progress %: 966
Scan progress %: 1266
Scan progress %: 1544
Scan progress %: 1822
Scan progress %: 2100
Scan progress %: 2388
Scan progress %: 100
Scan completed
Scan progress %: 233
Scan progress %: 522
Scan progress %: 733
Scan progress %: 966
Scan progress %: 1266
Scan progress %: 1544
Scan progress %: 1822
Scan progress %: 2100
Scan progress %: 2388
Scan progress %: 100
Scan completed
thc...@gmail.com
Jan 22, 2016, 6:29:40 AM1/22/16
to zaprox...@googlegroups.com
Still no clue what's causing that problem :/
Could you attach (or, probably better, send off list) the whole log,
Python script and your ZAP configuration file?
You might need to remove sensitive information.
Best regards.
On 22/01/16 10:57, Laurent Jubeau wrote:
> Yes that was intentional : I need a quick scan to test my Python script.
>
> No it take more than 5 sec.
> The logs are partial, you said the interesting thing shoudl be between "
> DEBUG org.zaproxy.zap.extension.api.API -
> handleApiRequesthttp://zap/JSON/ascan/action/scan/?url=.
> <http://zap/JSON/ascan/action/scan/?url=.>..
Could you attach (or, probably better, send off list) the whole log,
Python script and your ZAP configuration file?
You might need to remove sensitive information.
Best regards.
On 22/01/16 10:57, Laurent Jubeau wrote:
> Yes that was intentional : I need a quick scan to test my Python script.
>
> No it take more than 5 sec.
> The logs are partial, you said the interesting thing shoudl be between "
> DEBUG org.zaproxy.zap.extension.api.API -
> handleApiRequesthttp://zap/JSON/ascan/action/scan/?url=.
thc...@gmail.com
Jan 22, 2016, 6:43:21 AM1/22/16
to zaprox...@googlegroups.com
I was able to reproduce the issue, but only while running the spider.
Is it possible that the spider is still running while starting/running
the active scanner with your script?
Best regards.
Is it possible that the spider is still running while starting/running
the active scanner with your script?
Best regards.
Laurent Jubeau
Jan 22, 2016, 8:00:19 AM1/22/16
to OWASP ZAP User Group
thc...@gmail.com
Jan 22, 2016, 9:20:02 AM1/22/16
to zaprox...@googlegroups.com
OK, how are you doing the discovery of the target pages?
Best regards.
On 22/01/16 13:00, Laurent Jubeau wrote:
> No i dont use the Spider.
>
> Le vendredi 22 janvier 2016 12:43:21 UTC+1, thc202 a écrit :
>
> I was able to reproduce the issue, but only while running the spider.
>
> Is it possible that the spider is still running while starting/running
> the active scanner with your script?
>
> Best regards.
>
> On 22/01/16 11:29, thc...@gmail.com wrote:
> > Still no clue what's causing that problem :/
> > Could you attach (or, probably better, send off list) the whole log,
> > Python script and your ZAP configuration file?
> >
> > You might need to remove sensitive information.
> >
> > Best regards.
> >
> > On 22/01/16 10:57, Laurent Jubeau wrote:
> >> Yes that was intentional : I need a quick scan to test my Python
> script.
> >>
> >> No it take more than 5 sec.
> >> The logs are partial, you said the interesting thing shoudl be
> between "
> >> DEBUG org.zaproxy.zap.extension.api.API -
> >> handleApiRequesthttp://zap/JSON/ascan/action/scan/?url=.
> >> <http://zap/JSON/ascan/action/scan/?url=
> <http://zap/JSON/ascan/action/scan/?url=>.>..
> >> <mailto:zaproxy-user...@googlegroups.com>.
Best regards.
On 22/01/16 13:00, Laurent Jubeau wrote:
> No i dont use the Spider.
>
> Le vendredi 22 janvier 2016 12:43:21 UTC+1, thc202 a écrit :
>
> I was able to reproduce the issue, but only while running the spider.
>
> Is it possible that the spider is still running while starting/running
> the active scanner with your script?
>
> Best regards.
>
> On 22/01/16 11:29, thc...@gmail.com wrote:
> > Still no clue what's causing that problem :/
> > Could you attach (or, probably better, send off list) the whole log,
> > Python script and your ZAP configuration file?
> >
> > You might need to remove sensitive information.
> >
> > Best regards.
> >
> > On 22/01/16 10:57, Laurent Jubeau wrote:
> >> Yes that was intentional : I need a quick scan to test my Python
> script.
> >>
> >> No it take more than 5 sec.
> >> The logs are partial, you said the interesting thing shoudl be
> between "
> >> DEBUG org.zaproxy.zap.extension.api.API -
> >> handleApiRequesthttp://zap/JSON/ascan/action/scan/?url=.
> >> <http://zap/JSON/ascan/action/scan/?url=
> >> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
Laurent Jubeau
Jan 22, 2016, 10:23:28 AM1/22/16
to OWASP ZAP User Group
Web Browser configured with ZAP Proxy and browsing applications (WAVSEP or a project from my compagny)
thc...@gmail.com
Jan 22, 2016, 12:13:02 PM1/22/16
to zaprox...@googlegroups.com
Thanks, I'll try reproduce that.
Best regards.
Best regards.
thc...@gmail.com
Jan 28, 2016, 3:37:50 AM1/28/16
to zaprox...@googlegroups.com
Hi.
The issue is being tracked in:
https://github.com/zaproxy/zaproxy/pull/2208
Thank you.
Best regards.
The issue is being tracked in:
https://github.com/zaproxy/zaproxy/pull/2208
Thank you.
Best regards.
Reply all
Reply to author
Forward
0 new messages