HTTP Server Response Header question

[g]

I installed the beta passive scan rules so I could test HTTP Server Response Header.

When I launch a browser from the Quick Start tab and visit the site I'm testing, it returns the following header:

Server: openresty/1.15.8.2

I was expecting to see an Information Disclosure via Response Header alert, but I do not. I also tried setting the threshold for the test to Low, but that didn't make a difference.

What am I misunderstanding?

Using ZAP 2.10.0.

[kingthorin+owaspzap]

If you proxied the traffic then installed the new scan rules, revisited the page but it was cached then it didn't pass through ZAP again with the new rules.

[g]

Thanks for your response.

Regarding my original post, I was not seeing a Server Leaks Version Information via "Server" HTTP Response Header Field alert while running ZAP 2.10.0 on ubuntu 20.04 LTS.

I visited the site I'm testing on a different computer, and I see the alert on that machine. It's running MacOS 11.2.3 with ZAP 2.10.0.

In both cases, I'm using ZAP's default context. Any idea why I don't see the alert when I'm using ubuntu?

[kingthorin+owaspzap]

Not enough info to be sure. Could be cache, could be disabled rule(s), could be a java issue.

When you say you're using the default context do you mean you've configured some details of the default context? Do you have Passive Scan set to scan only in-scope?

[g]

Hi kingthorin,

The problem was that I set the passive scan to only in-scope, but didn't add in-scope URLs to the context.
After unchecking the passive scanner to only scan in-scope, the Server Leaks Version Information via "Server" HTTP Response Header Field alert is now showing.

Thanks for your help.

[kingthorin+owaspzap]

Thanks for letting us know.