ZAP Features and JAVA Version
91 views
Skip to first unread message
Illia
Sep 8, 2023, 12:07:07 AM9/8/23
to ZAP User Group
Hi there,
I would like to know if there are any ZAP features which are not supported or working if we are using JDK greater than JDK 11?
I know that JDK 11 have Nashorn engine and the versions after that do not. But what if I am not adding any script in my Automation plan (currently only have import, active scan and report jobs)
Because I noticed when I am using JDK 17 or JDK 20, when I close ZAP GUI, this message will pop up
![image]()
Simon Bennetts
Sep 8, 2023, 2:49:09 AM9/8/23
to ZAP User Group
I'm not aware of any problems other than the Nashorn one you mentioned.
I regularly use Java 17.
The screenshot you shared is just saying that a specific script has not been saved. I think thats probably a bug as I've seen that before, but its safe to ingnore it unless you have made changes to a script that you want to keep.
Cheers,
Simon
thc...@gmail.com
Sep 8, 2023, 3:42:37 AM9/8/23
to zaprox...@googlegroups.com
Also, that script no longer exists in the latest version of SOAP add-on.
https://github.com/zaproxy/zap-extensions/releases/tag/soap-v19
Best regards.
On 08/09/2023 07:49, Simon Bennetts wrote:
> I'm not aware of any problems other than the Nashorn one you mentioned.
> I regularly use Java 17.
> The screenshot you shared is just saying that a specific script has not
> been saved. I think thats probably a bug as I've seen that before, but its
> safe to ingnore it unless you have made changes to a script that you want
> to keep.
>
> Cheers,
>
> Simon
>
> On Friday, 8 September 2023 at 06:08:15 UTC+2 Illia wrote:
>
>> Attaching the screenshot here as it seems the image was not displayed
>> properly
>>
>> On Friday, 8 September 2023 at 12:07:07 UTC+8 Illia wrote:
>>
>>> Hi there,
>>>
>>> I would like to know if there are any ZAP features which are not
>>> supported or working if we are using JDK greater than JDK 11?
>>>
>>> I know that JDK 11 have Nashorn engine and the versions after that do
>>> not. But what if I am not adding any script in my Automation plan
>>> (currently only have *import, active scan and report jobs)*
https://github.com/zaproxy/zap-extensions/releases/tag/soap-v19
Best regards.
On 08/09/2023 07:49, Simon Bennetts wrote:
> I'm not aware of any problems other than the Nashorn one you mentioned.
> I regularly use Java 17.
> The screenshot you shared is just saying that a specific script has not
> been saved. I think thats probably a bug as I've seen that before, but its
> safe to ingnore it unless you have made changes to a script that you want
> to keep.
>
> Cheers,
>
> Simon
>
> On Friday, 8 September 2023 at 06:08:15 UTC+2 Illia wrote:
>
>> Attaching the screenshot here as it seems the image was not displayed
>> properly
>>
>> On Friday, 8 September 2023 at 12:07:07 UTC+8 Illia wrote:
>>
>>> Hi there,
>>>
>>> I would like to know if there are any ZAP features which are not
>>> supported or working if we are using JDK greater than JDK 11?
>>>
>>> I know that JDK 11 have Nashorn engine and the versions after that do
>>> not. But what if I am not adding any script in my Automation plan
Illia
Sep 9, 2023, 6:07:04 AM9/9/23
to ZAP User Group
Hi Simon and thc202,
I'll check about the latest version of SOAP, perhaps I did not update it.
I also saw that I have a bunch of this same messages appearing in the zap.log file:
[ZAP-ActiveScanner-8] WARN DomXssScanRule - Skipping scanner, failed to start browser: Could not start a new session. Response code 500. Message: Expected browser binary location, but unable to find binary in default location, no 'moz:firefoxOptions.binary' capability provided, and no binary flag set on the command line
Host info: host: 'example', ip: 'exampleIP'
Build info: version: '4.10.0', revision: 'c14d967899'
System info: os.name: 'Windows 10', os.arch: 'amd64', os.version: '10.0', java.version: '20.0.2'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [null, newSession {capabilities=[Capabilities {acceptInsecureCerts: true, browserName: firefox, moz:debuggerAddress: true, moz:firefoxOptions: {args: [-headless], prefs: {browser.tabs.documentchannel: false, devtools.jsonview.enabled: false, dom.serviceWorkers.enabled: true, network.captive-portal-service.enabled: false, network.proxy.allow_hijacking_localhost: true, network.proxy.http: exampleIP, network.proxy.http_port: examplePort, network.proxy.no_proxies_on: , network.proxy.share_proxy_settings: true, network.proxy.ssl: exampleIP, network.proxy.ssl_port: examplePort, network.proxy.type: 1}}, unhandledPromptBehavior: ignore}]}]
[ZAP-ActiveScanner-8] WARN DomXssScanRule - Skipping scanner, failed to start browser: Could not start a new session. Response code 500. Message: Expected browser binary location, but unable to find binary in default location, no 'moz:firefoxOptions.binary' capability provided, and no binary flag set on the command line
Host info: host: 'example', ip: 'exampleIP'
Build info: version: '4.10.0', revision: 'c14d967899'
System info: os.name: 'Windows 10', os.arch: 'amd64', os.version: '10.0', java.version: '20.0.2'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [null, newSession {capabilities=[Capabilities {acceptInsecureCerts: true, browserName: firefox, moz:debuggerAddress: true, moz:firefoxOptions: {args: [-headless], prefs: {browser.tabs.documentchannel: false, devtools.jsonview.enabled: false, dom.serviceWorkers.enabled: true, network.captive-portal-service.enabled: false, network.proxy.allow_hijacking_localhost: true, network.proxy.http: exampleIP, network.proxy.http_port: examplePort, network.proxy.no_proxies_on: , network.proxy.share_proxy_settings: true, network.proxy.ssl: exampleIP, network.proxy.ssl_port: examplePort, network.proxy.type: 1}}, unhandledPromptBehavior: ignore}]}]
My laptop only have Chrome and Edge browser installed, ideally I want DomXssScan to use either Chrome or Edge browser but when I checked the config.xml located in C:\Users\Local User\OWASP ZAP\config.xml, I saw it is already been set to Chrome:
<domxss> <browserid>Chrome</browserid> </domxss>
Can I know why this warning message is appearing in the log file and why is it showing firefox browser even though in config.xml is specifying "Chrome"?
I am running my automation plan with -cmd and -session parameter if it helps.
thc...@gmail.com
Sep 9, 2023, 6:37:11 AM9/9/23
to zaprox...@googlegroups.com
It should be chrome (all lower case) but for DOM XSS scan rule
chrome-headless is probably what you want.
For all the supported IDs see:
https://www.zaproxy.org/docs/desktop/addons/selenium/#supported-browsers
Best regards.
chrome-headless is probably what you want.
For all the supported IDs see:
https://www.zaproxy.org/docs/desktop/addons/selenium/#supported-browsers
Best regards.
Illia
Sep 9, 2023, 6:58:06 AM9/9/23
to ZAP User Group
Hi thc202,
Just to make it clear, do I have to change it directly in the config.xml file or can I change it by using the -config parameter in command line? :
-config domxss.browserId="chrome-headless"
Another bunch of messages which I saw in the log file is these:
[ZAP-ActiveScanner-1] ERROR RemoteCodeExecutionCve20121823ScanRule - Error scanning a URL for Remote Code Execution via CVE-2012-1823: Connect to https://https://example:443 [example.com/example] failed: Read timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://https://example:443 [example.com/example] failed: Read timed out
at sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:278) ~[?:?]
at sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:304) ~[?:?]
at sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:345) ~[?:?]
at sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:794) ~[?:?]
at java.net.Socket$SocketInputStream.read(Socket.java:1025) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:477) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ~[?:?]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.executeHandshake(SSLConnectionSocketFactory.java:303) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:251) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.SslConnectionSocketFactory.connectSocket(SslConnectionSocketFactory.java:195) ~[?:?]
at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:181) ~[?:?]
at org.apache.hc.client5.http.impl.io.ZapHttpClientConnectionOperator.connect(ZapHttpClientConnectionOperator.java:95) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:447) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:142) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:178) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:481) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:362) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:412) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:381) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:349) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:305) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:276) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:233) ~[?:?]
at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:524) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:315) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:252) ~[zap-2.13.0.jar:2.13.0]
at org.zaproxy.zap.extension.ascanrules.RemoteCodeExecutionCve20121823ScanRule.scan(RemoteCodeExecutionCve20121823ScanRule.java:174) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.RemoteCodeExecutionCve20121823ScanRule.scan(RemoteCodeExecutionCve20121823ScanRule.java:148) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:368) ~[zap-2.13.0.jar:2.13.0]
at java.lang.Thread.run(Thread.java:1623) [?:?]
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://https://example:443 [example.com/example] failed: Read timed out
at sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:278) ~[?:?]
at sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:304) ~[?:?]
at sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:345) ~[?:?]
at sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:794) ~[?:?]
at java.net.Socket$SocketInputStream.read(Socket.java:1025) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:477) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ~[?:?]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.executeHandshake(SSLConnectionSocketFactory.java:303) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:251) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.SslConnectionSocketFactory.connectSocket(SslConnectionSocketFactory.java:195) ~[?:?]
at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:181) ~[?:?]
at org.apache.hc.client5.http.impl.io.ZapHttpClientConnectionOperator.connect(ZapHttpClientConnectionOperator.java:95) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:447) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:142) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:178) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:481) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:362) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:412) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:381) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:349) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:305) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:276) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:233) ~[?:?]
at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:524) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:315) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:252) ~[zap-2.13.0.jar:2.13.0]
at org.zaproxy.zap.extension.ascanrules.RemoteCodeExecutionCve20121823ScanRule.scan(RemoteCodeExecutionCve20121823ScanRule.java:174) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.RemoteCodeExecutionCve20121823ScanRule.scan(RemoteCodeExecutionCve20121823ScanRule.java:148) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:368) ~[zap-2.13.0.jar:2.13.0]
at java.lang.Thread.run(Thread.java:1623) [?:?]
I am already using -config network.connection.timeoutInSecs=120 parameter
Does this message means that I have to increase the timeout even more?
Thanks
Illia
Sep 10, 2023, 9:19:28 PM9/10/23
to ZAP User Group
Hi,
I tried changing the config.xml browserId to "chrome-headless" and I notice after I close ZAP, the value changes to "Chrome" again when I check back using Notepad ++
Any help on this and the previous message?
Illia
Sep 11, 2023, 9:10:43 PM9/11/23
to ZAP User Group
I tried adding chrome to my PATH and the message no longer appears.
Thank you thc202 and Simon for answering my questions.
Reply all
Reply to author
Forward
0 new messages