Docker script zap-api-scan.py not importing openapi definitions
509 views
Skip to first unread message
Pavel Hrachou
Nov 17, 2020, 4:02:01 AM11/17/20
to OWASP ZAP User Group
I'm running command on latest weekly build and here what's happens:
"$ zap-api-scan.py -t https://localhost:44363/swagger/v1/swagger.json -f openapi -d
2020-11-17 08:21:04,736 Could not find custom hooks file at /home/zap/.zap_hooks.py
2020-11-17 08:21:04,736 Trigger hook: cli_opts, args: 1
2020-11-17 08:21:04,737 Using port: 49663
2020-11-17 08:21:04,737 Trigger hook: start_zap, args: 2
2020-11-17 08:21:04,737 Starting ZAP
2020-11-17 08:21:04,737 Params: ['zap-x.sh', '-daemon', '-port', '49663', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-addonupdate', '-addoninstall', 'pscanrulesBeta']
2020-11-17 08:21:04,742 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:05,745 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:06,748 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:07,751 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:08,754 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:09,757 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:10,761 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:10,807 http://localhost:49663 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 26
2020-11-17 08:21:10,808 ZAP Version D-2020-11-10
2020-11-17 08:21:10,808 Took 6 seconds
2020-11-17 08:21:10,808 Trigger hook: zap_started, args: 2
2020-11-17 08:21:10,810 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:10,816 http://localhost:49663 "GET http://zap/JSON/script/action/load/?scriptName=Alert_on_HTTP_Response_Code_Errors.js&scriptType=httpsender&scriptEngine=Oracle+Nashorn&fileName=%2Fhome%2Fzap%2F.ZAP_D%2Fscripts%2Fscripts%2Fhttpsender%2FAlert_on_HTTP_Response_Code_Errors.js&apikey= HTTP/1.1" 200 15
2020-11-17 08:21:10,817 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:10,820 http://localhost:49663 "GET http://zap/JSON/script/action/enable/?scriptName=Alert_on_HTTP_Response_Code_Errors.js&apikey= HTTP/1.1" 200 15
2020-11-17 08:21:10,822 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:10,826 http://localhost:49663 "GET http://zap/JSON/script/action/load/?scriptName=Alert_on_Unexpected_Content_Types.js&scriptType=httpsender&scriptEngine=Oracle+Nashorn&fileName=%2Fhome%2Fzap%2F.ZAP_D%2Fscripts%2Fscripts%2Fhttpsender%2FAlert_on_Unexpected_Content_Types.js&apikey= HTTP/1.1" 200 15
2020-11-17 08:21:10,828 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:10,831 http://localhost:49663 "GET http://zap/JSON/script/action/enable/?scriptName=Alert_on_Unexpected_Content_Types.js&apikey= HTTP/1.1" 200 15
2020-11-17 08:21:10,831 Trigger hook: importing_openapi, args: 2
2020-11-17 08:21:10,831 Import OpenAPI URL https://localhost:44363/swagger/v1/swagger.json
2020-11-17 08:21:10,832 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:11,433 http://localhost:49663 "GET http://zap/JSON/openapi/action/importUrl/?url=https%3A%2F%2Flocalhost%3A44363%2Fswagger%2Fv1%2Fswagger.json&apikey=&hostOverride= HTTP/1.1" 400 93
2020-11-17 08:21:11,434 Starting new HTTP connection (1): localhost:49663
2020-11-17 08:21:11,440 http://localhost:49663 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 11
2020-11-17 08:21:11,442 Number of Imported URLs: 0
2020-11-17 08:21:11,442 Import warnings: illegal_parameter
2020-11-17 08:21:11,442 Failed to import any URLs
Traceback (most recent call last):
File "/zap//zap-api-scan.py", line 401, in main
raise NoUrlsException()
NoUrlsException
Found Java version 11.0.9
Available memory: 12707 MB
Using JVM args: -Xmx3176m
1016 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-11-10 started 17/11/2020, 08:21:05 with home /home/zap/.ZAP_D/
1049 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was true
1049 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was .*
1050 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was true
1058 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
1058 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
1147 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
1150 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
1638 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
1656 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
1669 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
1669 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
1733 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
2778 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=11.0.0], [id=ascanrules, version=37.0.0], [id=ascanrulesBeta, version=32.0.0], [id=bruteforce, version=10.0.0], [id=commonlib, version=1.2.0], [id=coreLang, version=14.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=10.0.0], [id=encoder, version=0.4.0], [id=formhandler, version=3.0.0], [id=fuzz, version=13.1.0], [id=gettingStarted, version=12.0.0], [id=graphql, version=0.2.0], [id=help, version=11.0.0], [id=hud, version=0.13.0], [id=importurls, version=8.0.0], [id=invoke, version=11.0.0], [id=onlineMenu, version=8.0.0], [id=openapi, version=17.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=30.0.0], [id=pscanrulesBeta, version=23.0.0], [id=quickstart, version=29.0.0], [id=replacer, version=9.0.0], [id=retire, version=0.6.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=6.0.0], [id=savexmlmessage, version=0.2.0], [id=scripts, version=27.0.0], [id=selenium, version=15.3.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.3.0], [id=tips, version=8.0.0], [id=webdriverlinux, version=23.0.0], [id=webdrivermacos, version=22.0.0], [id=webdriverwindows, version=23.0.0], [id=websocket, version=23.0.0], [id=zest, version=33.0.0]]
3241 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
3491 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
3494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
3494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
3494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
3504 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
3505 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension
3506 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
3508 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
3509 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
3510 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
3512 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
3579 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
3579 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
3579 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
3580 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
3580 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
3580 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
3580 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
3580 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
3581 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
3581 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
3581 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute
3581 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
3581 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
3581 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
3582 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
3582 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
3582 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
3582 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
3583 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
3584 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
3584 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
3584 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
3584 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
3584 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
3585 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header
3585 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
3585 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
3585 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
3586 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
3586 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
3586 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
3586 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
3586 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
3586 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
3587 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
3588 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
3588 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
3588 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
3588 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
3588 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
3604 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
3605 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
3612 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence
3612 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
3620 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
3620 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
3621 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner
3622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
3622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
3622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
3622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
3624 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
3638 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
3639 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
3830 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
3830 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
3833 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
3833 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
3848 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
3955 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
3956 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
3957 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools
4102 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
4103 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
4103 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
4103 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration
4103 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
4108 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
4108 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
4108 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
4127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
4129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
4129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
4130 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
4132 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
4136 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
4136 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.
4137 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
4137 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
4137 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
4137 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
4138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
4138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
4138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
4138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
4139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
4139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
4139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
4139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
4139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
4140 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
4141 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
4142 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
4143 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Definition
4143 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
4145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
4146 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.
4149 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
4150 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
4151 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
4151 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
4151 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
4151 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files
4152 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing DOM XSS Active Scan Rule
4208 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
4208 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
4209 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
4209 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
4240 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
4241 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
4242 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta
4242 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
4242 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
4243 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
4244 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
4245 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
4246 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
4246 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
4247 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
4394 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:43661
5662 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete
5666 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on already installed: /zap/./plugin/pscanrulesBeta-beta-23.zap
5667 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:49663
6546 [ZAP-ProxyThread-6] WARN org.zaproxy.zap.extension.openapi.ExtensionOpenApi - Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399) ~[?:?]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242) ~[?:?]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224) ~[?:?]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:403) ~[?:?]
at java.net.Socket.connect(Socket.java:609) ~[?:?]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:289) ~[?:?]
at org.parosproxy.paros.network.SSLConnector.createSocket(SSLConnector.java:458) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728) ~[zap-D-2020-11-10.jar:?]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:?]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:457) ~[zap-D-2020-11-10.jar:?]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207) ~[zap-D-2020-11-10.jar:?]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:?]
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:426) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:667) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:623) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:598) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:486) ~[zap-D-2020-11-10.jar:D-2020-11-10]
at org.zaproxy.zap.extension.openapi.network.Requestor.getResponseBody(Requestor.java:92) ~[openapi-beta-17.zap:?]
at org.zaproxy.zap.extension.openapi.ExtensionOpenApi.importOpenApiDefinition(ExtensionOpenApi.java:174) [openapi-beta-17.zap:?]
at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:108) [openapi-beta-17.zap:?]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506) [zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499) [zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335) [zap-D-2020-11-10.jar:D-2020-11-10]
at java.lang.Thread.run(Thread.java:834) [?:?]
6555 [ZAP-ProxyThread-6] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/openapi/action/importUrl/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: illegal_parameter
at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:112) ~[?:?]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506) [zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499) [zap-D-2020-11-10.jar:D-2020-11-10]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335) [zap-D-2020-11-10.jar:D-2020-11-10]
at java.lang.Thread.run(Thread.java:834) [?:?]
2020-11-17 08:21:11,448 Trigger hook: pre_exit, args: 3"
I assume that here lies the issue
"2020-11-17 08:21:11,440 http://localhost:49663 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 11
I also tried to run latest stable:
I assume that here lies the issue
"2020-11-17 08:21:11,440 http://localhost:49663 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 11
2020-11-17 08:21:11,442 Number of Imported URLs: 0
2020-11-17 08:21:11,442 Import warnings: illegal_parameter"
I also tried to run latest stable:
"$ zap-api-scan.py -t https://localhost:44363/swagger/v1/swagger.json -f openapi -d
2020-11-17 08:55:59,269 Could not find custom hooks file at /home/zap/.zap_hooks.py
2020-11-17 08:55:59,269 Trigger hook: cli_opts, args: 1
2020-11-17 08:55:59,269 Using port: 60028
2020-11-17 08:55:59,269 Trigger hook: start_zap, args: 2
2020-11-17 08:55:59,270 Starting ZAP
2020-11-17 08:55:59,270 Params: ['zap-x.sh', '-daemon', '-port', '60028', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-addonupdate', '-addoninstall', 'pscanrulesBeta']
2020-11-17 08:55:59,275 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:00,278 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:01,281 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:02,284 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,287 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,320 http://localhost:60028 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 19
2020-11-17 08:56:03,321 ZAP Version 2.9.0
2020-11-17 08:56:03,321 Took 4 seconds
2020-11-17 08:56:03,322 Trigger hook: zap_started, args: 2
2020-11-17 08:56:03,323 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,328 http://localhost:60028 "GET http://zap/JSON/script/action/load/?scriptEngine=Oracle+Nashorn&scriptName=Alert_on_HTTP_Response_Code_Errors.js&scriptType=httpsender&apikey=&fileName=%2Fhome%2Fzap%2F.ZAP_D%2Fscripts%2Fscripts%2Fhttpsender%2FAlert_on_HTTP_Response_Code_Errors.js HTTP/1.1" 200 15
2020-11-17 08:56:03,330 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,332 http://localhost:60028 "GET http://zap/JSON/script/action/enable/?scriptName=Alert_on_HTTP_Response_Code_Errors.js&apikey= HTTP/1.1" 200 15
2020-11-17 08:56:03,334 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,337 http://localhost:60028 "GET http://zap/JSON/script/action/load/?scriptEngine=Oracle+Nashorn&scriptName=Alert_on_Unexpected_Content_Types.js&scriptType=httpsender&apikey=&fileName=%2Fhome%2Fzap%2F.ZAP_D%2Fscripts%2Fscripts%2Fhttpsender%2FAlert_on_Unexpected_Content_Types.js HTTP/1.1" 200 15
2020-11-17 08:56:03,339 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,341 http://localhost:60028 "GET http://zap/JSON/script/action/enable/?scriptName=Alert_on_Unexpected_Content_Types.js&apikey= HTTP/1.1" 200 15
2020-11-17 08:56:03,342 Trigger hook: importing_openapi, args: 2
2020-11-17 08:56:03,342 Import OpenAPI URL https://localhost:44363/swagger/v1/swagger.json
2020-11-17 08:56:03,344 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,884 http://localhost:60028 "GET http://zap/JSON/openapi/action/importUrl/?url=https%3A%2F%2Flocalhost%3A44363%2Fswagger%2Fv1%2Fswagger.json&hostOverride=&apikey= HTTP/1.1" 500 52
2020-11-17 08:56:03,887 Starting new HTTP connection (1): localhost:60028
2020-11-17 08:56:03,928 http://localhost:60028 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 11
2020-11-17 08:56:03,929 Number of Imported URLs: 0
2020-11-17 08:56:03,929 Import warnings: Internal Error
2020-11-17 08:56:03,929 Failed to import any URLs
Traceback (most recent call last):
File "/zap//zap-api-scan.py", line 397, in main
raise NoUrlsException()
NoUrlsException
Found Java version 1.8.0_242
Available memory: 12707 MB
Using JVM args: -Xmx3176m
0 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP 2.9.0 started 17/11/20 08:55:59 with home /home/zap/.ZAP/
25 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was true
25 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was .*
26 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was true
32 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
32 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
97 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
101 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
484 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
499 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
551 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
732 [ZAP-daemon] WARN org.zaproxy.zap.control.AddOnCollection - Failed to create add-on for selenium
java.util.zip.ZipException: error in opening zip file
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(ZipFile.java:225)
at java.util.zip.ZipFile.<init>(ZipFile.java:155)
at java.util.zip.ZipFile.<init>(ZipFile.java:169)
at org.zaproxy.zap.control.AddOn.loadManifestFile(AddOn.java:565)
at org.zaproxy.zap.control.AddOn.<init>(AddOn.java:656)
at org.zaproxy.zap.control.AddOnCollection.load(AddOnCollection.java:142)
at org.zaproxy.zap.control.AddOnCollection.<init>(AddOnCollection.java:59)
at org.zaproxy.zap.control.AddOnCollection.<init>(AddOnCollection.java:51)
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getPreviousVersionInfo(ExtensionAutoUpdate.java:1112)
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.initialize(ExtensionAutoUpdate.java:178)
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.<init>(ExtensionAutoUpdate.java:167)
at org.zaproxy.zap.control.CoreFunctionality.createExtensions(CoreFunctionality.java:82)
at org.zaproxy.zap.control.CoreFunctionality.getBuiltInExtensions(CoreFunctionality.java:60)
at org.zaproxy.zap.control.ExtensionFactory.loadAllExtension(ExtensionFactory.java:104)
at org.parosproxy.paros.control.Control.addExtension(Control.java:181)
at org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:54)
at org.parosproxy.paros.control.Control.init(Control.java:137)
at org.parosproxy.paros.control.Control.initSingletonWithoutViewAndProxy(Control.java:367)
at org.zaproxy.zap.HeadlessBootstrap.initControl(HeadlessBootstrap.java:58)
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:78)
at java.lang.Thread.run(Thread.java:748)
1311 [ZAP-daemon] WARN org.zaproxy.zap.control.AddOn - Invalid add-on: /home/zap/.ZAP/plugin/selenium-release-15.2.0.zap. error in opening zip file
1390 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, version=10.0.0], [id=ascanrules, version=36.0.0], [id=bruteforce, version=9.0.0], [id=commonlib, version=1.1.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=fuzz, version=13.0.1], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.12.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=16.0.0], [id=pscanrules, version=29.0.0], [id=pscanrulesBeta, version=22.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.1.0], [id=spiderAjax, version=23.2.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=22.0.0], [id=websocket, version=22.0.0], [id=zest, version=32.0.0]]
1599 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
1718 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
1720 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
1720 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
1720 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
1728 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
1728 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension
1728 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
1729 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
1729 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
1731 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...
1731 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
1732 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner
1783 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
1784 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
1785 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
1786 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
1787 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
1801 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
1803 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
1811 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
1816 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
1816 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
1817 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
1817 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
1817 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
1818 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
1819 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
1829 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
1831 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
1866 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
1866 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
1868 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
1869 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
1883 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
1978 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
1978 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
1980 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools
2124 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
2124 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
2124 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
2128 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
2129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
2129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
2138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
2138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
2138 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
2139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
2140 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
2143 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
2144 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
2144 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
2144 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
2144 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
2145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
2145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
2145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
2145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
2145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
2145 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
2146 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
2146 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
2146 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
2146 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
2147 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
2148 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
2149 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
2149 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
2149 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
2149 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
2151 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
2153 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
2153 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
2153 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
2155 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
2155 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
2155 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
2156 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
2156 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
2156 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
2166 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
2167 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
2167 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
2198 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
2200 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
2200 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
2278 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:40419
2914 [ZAP-cfu] WARN org.zaproxy.zap.control.AddOnCollection - Failed to create add-on for selenium
java.util.zip.ZipException: error in opening zip file
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(ZipFile.java:225)
at java.util.zip.ZipFile.<init>(ZipFile.java:155)
at java.util.zip.ZipFile.<init>(ZipFile.java:169)
at org.zaproxy.zap.control.AddOn.loadManifestFile(AddOn.java:565)
at org.zaproxy.zap.control.AddOn.<init>(AddOn.java:656)
at org.zaproxy.zap.control.AddOnCollection.load(AddOnCollection.java:142)
at org.zaproxy.zap.control.AddOnCollection.<init>(AddOnCollection.java:59)
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate$8.run(ExtensionAutoUpdate.java:1197)
3403 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete
3406 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on already installed: /home/zap/.ZAP/plugin/pscanrulesBeta-beta-22.zap
3406 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:60028
4074 [ZAP-ProxyThread-6] WARN org.zaproxy.zap.extension.openapi.ExtensionOpenApi - Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:666)
at org.parosproxy.paros.network.SSLConnector.createSocket(SSLConnector.java:450)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:449)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:201)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:418)
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:653)
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:609)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.zaproxy.zap.extension.openapi.network.Requestor.getResponseBody(Requestor.java:92)
at org.zaproxy.zap.extension.openapi.ExtensionOpenApi.importOpenApiDefinition(ExtensionOpenApi.java:173)
at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:108)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
at java.lang.Thread.run(Thread.java:748)
4075 [ZAP-ProxyThread-6] ERROR org.zaproxy.zap.extension.api.API - Exception while handling API request:
java.lang.NullPointerException
at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:112)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
at java.lang.Thread.run(Thread.java:748)
2020-11-17 08:56:03,933 Trigger hook: pre_exit, args: 3"
Simon Bennetts
Nov 17, 2020, 4:13:09 AM11/17/20
to OWASP ZAP User Group
I would guess that https://localhost:44363/swagger/v1/swagger.json is not accessible inside the docker container - docker networking can be a pain ;)
To test this just start the ZAP docker image with bash and try to curl to it - I would expect that to fail.
It should be possible to access your swagger definition somehow but I think its a docker networking issue rather than a ZAP one.
If the other service is running in another docker container then try using "--network host" when you start it, or define a docker network and use that when you start both images.
Cheers,
Simon
Pavel Hrachou
Nov 17, 2020, 4:27:53 AM11/17/20
to OWASP ZAP User Group
Oh, thanks. Definitely need to check.
Lack of newbie guide and examples in docs confuses me.
Can I ask you more about this script? I assume that "-t https://localhost:44363/swagger/v1/swagger.json -f openapi" is the same thing as "URL pointing to OpenAPI defn", but how to specify "Target URL"?
Lack of newbie guide and examples in docs confuses me.
Can I ask you more about this script? I assume that "-t https://localhost:44363/swagger/v1/swagger.json -f openapi" is the same thing as "URL pointing to OpenAPI defn", but how to specify "Target URL"?
вторник, 17 ноября 2020 г. в 12:13:09 UTC+3, psi...@gmail.com:
Simon Bennetts
Nov 23, 2020, 5:11:12 AM11/23/20
to OWASP ZAP User Group
Just point your browser at the host:port ZAP is listenning on and follow the first 'API' link then the 'openapi' link.
You should see that the 'importurl action has an optional 'hostOverride' parameter.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages