Active Scan won't discover DOM XSS in OWASP Juice Shop
26 views
Skip to first unread message
Matthias Müller
Jan 1, 2026, 7:09:49 AM (6 days ago) Jan 1
to ZAP User Group
TL;DR
Have ZAP discover the DOM-based XSS vulnerability on the Juice Shop search page:
ZAP does not detect the built in DOM XSS vulnerability in http://localhost:3000/#/search, even though the Client Spider discovers the URL and the DOM XSS scan rule runs without errors.Environment
Start Juice Shop via Docker on macOS
docker run -d --name js --rm -p 3000:3000 bkimminich/juice-shop
Start ZAP via Docker
docker run --rm -d --name zaproxy -u zap -v /path/to/zap:/home/zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxy:stable zap-webswing.sh
Steps in ZAP
1. Create an automation pipeline (see full yaml below)
2. Create scan policy with single activated policy: "Cross Site Scriting (Dom Based)"
3. Start Client Spider on http://host.docker.internal:3000
4. Start Active Scan on starting point http://host.docker.internal:3000
Start Juice Shop via Docker on macOS
docker run -d --name js --rm -p 3000:3000 bkimminich/juice-shop
Start ZAP via Docker
docker run --rm -d --name zaproxy -u zap -v /path/to/zap:/home/zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxy:stable zap-webswing.sh
Steps in ZAP
1. Create an automation pipeline (see full yaml below)
2. Create scan policy with single activated policy: "Cross Site Scriting (Dom Based)"
3. Start Client Spider on http://host.docker.internal:3000
4. Start Active Scan on starting point http://host.docker.internal:3000
Expected result
- The DOM-based XSS in #/search should be detected.
Actual result
- The DOM-based XSS in #/search should be detected.
Actual result
- Search URL was discovered and is listed in Client Map: http://host.docker.internal:3000/#/search?
- DOM XSS scan rule (40026) runs
- DOM XSS scan rule (40026) runs
- No errors in logs
- 0 messages sent, 0 alerts raised
Automation script
env:
contexts:
- name: js
urls:
- http://host.docker.internal:3000/
includePaths:
- http://host.docker.internal:3000/.*
excludePaths:
- https://firefox.settings.services.mozilla.com/.*
- https://firefox-settings-attachments.cdn.mozilla.net/.*
- https://twitter.com/.*
- http://host.docker.internal:3000/#/score-board.*
authentication:
verification:
method: response
pollFrequency: 60
pollUnits: requests
pollUrl: ""
pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
parameters: {}
jobs:
- type: script
parameters:
name: setLogLevel
type: active
action: add
engine: "ECMAScript : Graal.js"
inline: |-
var Configurator = Java.type("org.apache.logging.log4j.core.config.Configurator");
var Level = Java.type("org.apache.logging.log4j.Level");
Configurator.setLevel({
"org.zaproxy" : Level.DEBUG,
});
alwaysRun: true
- type: spiderClient
parameters:
context: js
url: http://host.docker.internal:3000
maxDuration: 0
maxChildren: 0
- type: activeScan
parameters:
context: js
url: http://host.docker.internal:3000
maxAlertsPerRule: 20
policyDefinition:
defaultStrength: medium
defaultThreshold: "off"
rules:
- name: Cross Site Scripting (DOM Based)
id: 40026
threshold: high
strength: high
alwaysRun: true
- type: report
parameters:
reportTitle: ZAP by Checkmarx Scanning Report
alwaysRun: true
- type: exitStatus
parameters: {}
Logs
contexts:
- name: js
urls:
- http://host.docker.internal:3000/
includePaths:
- http://host.docker.internal:3000/.*
excludePaths:
- https://firefox.settings.services.mozilla.com/.*
- https://firefox-settings-attachments.cdn.mozilla.net/.*
- https://twitter.com/.*
- http://host.docker.internal:3000/#/score-board.*
authentication:
verification:
method: response
pollFrequency: 60
pollUnits: requests
pollUrl: ""
pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
parameters: {}
jobs:
- type: script
parameters:
name: setLogLevel
type: active
action: add
engine: "ECMAScript : Graal.js"
inline: |-
var Configurator = Java.type("org.apache.logging.log4j.core.config.Configurator");
var Level = Java.type("org.apache.logging.log4j.Level");
Configurator.setLevel({
"org.zaproxy" : Level.DEBUG,
});
alwaysRun: true
- type: spiderClient
parameters:
context: js
url: http://host.docker.internal:3000
maxDuration: 0
maxChildren: 0
- type: activeScan
parameters:
context: js
url: http://host.docker.internal:3000
maxAlertsPerRule: 20
policyDefinition:
defaultStrength: medium
defaultThreshold: "off"
rules:
- name: Cross Site Scripting (DOM Based)
id: 40026
threshold: high
strength: high
alwaysRun: true
- type: report
parameters:
reportTitle: ZAP by Checkmarx Scanning Report
alwaysRun: true
- type: exitStatus
parameters: {}
Logs
...
2025-12-31 16:21:55,798 [ZAP-Automation] INFO CommandLine - Job spiderClient finished, time taken: 00:00:26
2025-12-31 16:21:55,799 [ZAP-Automation] INFO CommandLine - Job activeScan started
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set default strength to MEDIUM
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set default threshold to OFF
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set rule 40026 strength to HIGH
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set rule 40026 threshold to HIGH
2025-12-31 16:21:55,801 [ZAP-Automation] INFO Scanner - scanner with ID 0 started
2025-12-31 16:21:55,934 [ZAP-Scanner-0] INFO HostProcess - Scanning 125 node(s) from http://host.docker.internal:3000
2025-12-31 16:21:55,934 [ZAP-Scanner-0] INFO HostProcess - start host http://host.docker.internal:3000 | DomXssScanRule strength HIGH threshold HIGH
2025-12-31 16:21:57,175 [Thread-5104] INFO DomXssScanRule - Reaper thread starting
2025-12-31 16:24:25,872 [ZAP-Scanner-0] INFO HostProcess - completed host/plugin http://host.docker.internal:3000 | DomXssScanRule in 149.938s with 0 message(s) sent and 0 alert(s) raised.
2025-12-31 16:24:27,537 [ZAP-DomXssReaper] INFO DomXssScanRule - Reaper thread exiting 0
2025-12-31 16:24:30,054 [ZAP-Scanner-0] INFO HostProcess - completed host http://host.docker.internal:3000 in 154.251s with 0 alert(s) raised.
2025-12-31 16:24:30,054 [Thread-5048] INFO Scanner - scanner with ID 0 completed in 154.252s
2025-12-31 16:24:30,320 [ZAP-Automation] INFO CommandLine - Job activeScan finished, time taken: 00:02:34
2025-12-31 16:21:55,799 [ZAP-Automation] INFO CommandLine - Job activeScan started
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set default strength to MEDIUM
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set default threshold to OFF
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set rule 40026 strength to HIGH
2025-12-31 16:21:55,801 [ZAP-Automation] INFO CommandLine - Job activeScan set rule 40026 threshold to HIGH
2025-12-31 16:21:55,801 [ZAP-Automation] INFO Scanner - scanner with ID 0 started
2025-12-31 16:21:55,934 [ZAP-Scanner-0] INFO HostProcess - Scanning 125 node(s) from http://host.docker.internal:3000
2025-12-31 16:21:55,934 [ZAP-Scanner-0] INFO HostProcess - start host http://host.docker.internal:3000 | DomXssScanRule strength HIGH threshold HIGH
2025-12-31 16:21:57,175 [Thread-5104] INFO DomXssScanRule - Reaper thread starting
2025-12-31 16:24:25,872 [ZAP-Scanner-0] INFO HostProcess - completed host/plugin http://host.docker.internal:3000 | DomXssScanRule in 149.938s with 0 message(s) sent and 0 alert(s) raised.
2025-12-31 16:24:27,537 [ZAP-DomXssReaper] INFO DomXssScanRule - Reaper thread exiting 0
2025-12-31 16:24:30,054 [ZAP-Scanner-0] INFO HostProcess - completed host http://host.docker.internal:3000 in 154.251s with 0 alert(s) raised.
2025-12-31 16:24:30,054 [Thread-5048] INFO Scanner - scanner with ID 0 completed in 154.252s
2025-12-31 16:24:30,320 [ZAP-Automation] INFO CommandLine - Job activeScan finished, time taken: 00:02:34
...
Simon Bennetts
Jan 5, 2026, 12:17:06 PM (2 days ago) Jan 5
to ZAP User Group
That is a known problem.
The plan is to re-write the DOM XSS scan rule to use the new Client Map, but we're focussing on other things right now.
Cheers,
simon
Reply all
Reply to author
Forward
0 new messages