Increment DAST_VERSION in on-demand DAST template
What does this MR do?
this merge request updates the version of dast for on-demand scans to 2 to be in alignment with the main dast template (DAST.gitlab-ci.yml). this is because we held this back updating in the last milestone because we needed first to add a compatibility layer but this has now be released in dast.
Notes
- the template is typically not used directly by customers in their ci config. instead it is used when creating
dastscans on-demand. - this merge request blocks !63849 (merged)
- this is not a breaking change.
Related Issue(s)
Manual QA
Local
[0KRunning with gitlab-runner 14.0.0 (3b6f852e)
[0;m[0K on GDK local runner y_752jUc
[0;msection_start:1626058431:resolve_secrets
[0K[0K[36;1mResolving secrets[0;m
[0;msection_end:1626058431:resolve_secrets
[0Ksection_start:1626058431:prepare_executor
[0K[0K[36;1mPreparing the "docker" executor[0;m
[0;m[0KUsing Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:2 ...
[0;m[0KPulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:2 ...
[0;m[0KUsing docker image sha256:774c74ce03ebceb9f49f9a5613b4d3c289d7006cd6ef4964dfd4aad1866fd094 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:2 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/dast@sha256:b3fd5c5682863fb99491378a57045df7f26d08cc37b022733b36cf520e916c0c ...
[0;msection_end:1626058544:prepare_executor
[0Ksection_start:1626058544:prepare_script
[0K[0K[36;1mPreparing environment[0;m
[0;mRunning on runner-y752juc-project-17-concurrent-0 via fitzroy.local...
section_end:1626058544:prepare_script
[0Ksection_start:1626058544:get_sources
[0K[0K[36;1mGetting source from Git repository[0;m
[0;m[32;1mSkipping Git repository setup[0;m
[32;1mSkipping Git checkout[0;m
[32;1mSkipping Git submodules setup[0;m
section_end:1626058545:get_sources
[0Ksection_start:1626058545:step_script
[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m
[0;m[0KUsing docker image sha256:774c74ce03ebceb9f49f9a5613b4d3c289d7006cd6ef4964dfd4aad1866fd094 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:2 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/dast@sha256:b3fd5c5682863fb99491378a57045df7f26d08cc37b022733b36cf520e916c0c ...
[0;m[32;1m$ /analyze[0;m
2021-07-12 02:55:45,980 Running DAST v2.0.3 on Python 3.9.5 (default, May 19 2021, 11:32:47) [GCC 9.3.0]
2021-07-12 02:55:45,981 Starting the ZAP Server
2021-07-12 02:55:45,981 Running ZAP with parameters ['/zap/zap.sh', '-daemon', '-config', 'proxy.reverseProxy.use=1', '-config', 'proxy.reverseProxy.ip=0.0.0.0', '-config', 'proxy.reverseProxy.httpPort=49204', '-dir', '/app/zap', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent']
2021-07-12 02:55:45,982 looking for ZAP at http://127.0.0.1:49204...
2021-07-12 02:55:46,987 looking for ZAP at http://127.0.0.1:49204...
2021-07-12 02:55:47,992 looking for ZAP at http://127.0.0.1:49204...
2021-07-12 02:55:48,994 looking for ZAP at http://127.0.0.1:49204...
[zap_server] Found Java version 11.0.11
[zap_server] Available memory: 1996 MB
[zap_server] Using JVM args: -Xmx499m
[zap_server] 211 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-09-15 started 12/07/2021, 02:55:46 with home /app/zap/
[zap_server] 232 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config proxy.reverseProxy.use = 1 was null
[zap_server] 233 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config proxy.reverseProxy.ip = 0.0.0.0 was null
[zap_server] 233 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config proxy.reverseProxy.httpPort = 49204 was null
[zap_server] 233 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
[zap_server] 233 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
[zap_server] 234 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
[zap_server] 234 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null
[zap_server] 234 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null
[zap_server] 242 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
[zap_server] 243 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
[zap_server] 302 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
[zap_server] 310 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
[zap_server] 684 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
[zap_server] 2357 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=37.0.0], [id=ascanrulesBeta, version=32.0.0], [id=bruteforce, version=10.0.0], [id=commonlib, version=1.2.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=encoder, version=0.3.0], [id=formhandler, version=3.0.0], [id=fuzz, version=13.1.0], [id=fuzzdb, version=7.0.0], [id=gettingStarted, version=12.0.0], [id=help, version=11.0.0], [id=hud, version=0.12.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=8.0.0], [id=openapi, version=17.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=30.0.0], [id=pscanrulesBeta, version=23.0.0], [id=quickstart, version=29.0.0], [id=replacer, version=8.0.0], [id=retire, version=0.5.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=27.0.0], [id=selenium, version=15.3.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.2.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=28.0.0], [id=webdrivermacos, version=19.0.0], [id=webdriverwindows, version=20.0.0], [id=websocket, version=23.0.0], [id=zest, version=33.0.0]]
[zap_server] 2636 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
[zap_server] Jul 12, 2021 2:55:49 AM java.util.prefs.FileSystemPreferences$1 run
[zap_server] INFO: Created user preferences directory.
[zap_server] 2747 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
[zap_server] 2749 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
[zap_server] 2749 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
[zap_server] 2749 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
[zap_server] 2754 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
[zap_server] 2754 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension
[zap_server] 2754 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
[zap_server] 2755 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
[zap_server] 2755 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
[zap_server] 2756 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
[zap_server] 2757 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
[zap_server] 2806 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
[zap_server] 2806 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
[zap_server] 2807 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
[zap_server] 2808 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
[zap_server] 2809 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
[zap_server] 2810 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
[zap_server] 2811 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
[zap_server] 2811 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
[zap_server] 2811 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
[zap_server] 2811 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
[zap_server] 2811 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
[zap_server] 2811 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
[zap_server] 2820 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
[zap_server] 2822 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
[zap_server] 2829 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence
[zap_server] 2830 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
[zap_server] 2835 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
[zap_server] 2835 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
[zap_server] 2836 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner
[zap_server] 2836 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
[zap_server] 2836 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
[zap_server] 2837 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
[zap_server] 2837 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
[zap_server] 2841 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
[zap_server] 2859 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
[zap_server] 2859 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
[zap_server] 2860 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
[zap_server] 2860 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
[zap_server] 2861 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
[zap_server] 2862 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
[zap_server] 2874 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
[zap_server] 2942 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
[zap_server] 2942 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
[zap_server] 2943 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
[zap_server] 3092 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
[zap_server] 3093 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
[zap_server] 3093 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
[zap_server] 3093 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration
[zap_server] 3093 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
[zap_server] 3098 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
[zap_server] 3099 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
[zap_server] 3099 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
[zap_server] 3118 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
[zap_server] 3119 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
[zap_server] 3119 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
[zap_server] 3120 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
[zap_server] 3121 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
[zap_server] 3126 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
[zap_server] 3126 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.
[zap_server] 3127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
[zap_server] 3127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
[zap_server] 3127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
[zap_server] 3127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
[zap_server] 3128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
[zap_server] 3128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
[zap_server] 3128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
[zap_server] 3128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
[zap_server] 3128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
[zap_server] 3128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
[zap_server] 3129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
[zap_server] 3129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
[zap_server] 3129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds su2021-07-12 02:55:49,997 looking for ZAP at http://127.0.0.1:49204...
pport for configurable keyboard shortcuts for all of the ZAP menus.
[zap_server] 3129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
[zap_server] 3131 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
[zap_server] 3132 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
[zap_server] 3133 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
[zap_server] 3133 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
[zap_server] 3134 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
[zap_server] 3135 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
[zap_server] 3135 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
[zap_server] 3135 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
[zap_server] 3169 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
[zap_server] 3170 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
[zap_server] 3170 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files
[zap_server] 3170 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
[zap_server] 3171 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
[zap_server] 3171 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled
[zap_server] 3171 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
[zap_server] 3172 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
[zap_server] 3172 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
[zap_server] 3172 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
[zap_server] 3172 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
[zap_server] 3173 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
[zap_server] 3173 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
[zap_server] 3174 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
[zap_server] 3174 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
[zap_server] 3176 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta
[zap_server] 3176 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
[zap_server] 3176 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
[zap_server] 3262 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:37227
[zap_server] 3262 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate
[zap_server] 3894 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root C2021-07-12 02:55:51,000 looking for ZAP at http://127.0.0.1:49204...
2021-07-12 02:55:51,045 connected to ZAP with version D-2020-09-15
2021-07-12 02:55:51,660 Using scan target https://some-redacted-site.ngrok.io
2021-07-12 02:55:51,744 Waiting for https://some-redacted-site.ngrok.io to be available
2021-07-12 02:55:51,744 Requesting access to https://some-redacted-site.ngrok.io...
2021-07-12 02:55:58,458 Creating Browserker configuration file from DAST settings
2021-07-12 02:55:58,458 Adding Browserker setting AllowedHosts = ["some-redacted-site.ngrok.io"]
2021-07-12 02:55:58,459 Adding Browserker setting DataPath = "/output/browserker_data"
2021-07-12 02:55:58,459 Adding Browserker setting ExcludedElements = []
2021-07-12 02:55:58,459 Adding Browserker setting ExcludedHosts = []
2021-07-12 02:55:58,459 Adding Browserker setting ExcludedURIs = []
2021-07-12 02:55:58,459 Adding Browserker setting FileLogPath = "/output/browserker-debug.log"
2021-07-12 02:55:58,459 Adding Browserker setting IgnoredHosts = []
2021-07-12 02:55:58,459 Adding Browserker setting JSPluginPath = "/browserker/plugins/"
2021-07-12 02:55:58,459 Adding Browserker setting MaxActions = 10000
2021-07-12 02:55:58,459 Adding Browserker setting MaxAttackFailures = 5
2021-07-12 02:55:58,459 Adding Browserker setting MaxDepth = 10
2021-07-12 02:55:58,459 Adding Browserker setting NumBrowsers = 3
2021-07-12 02:55:58,459 Adding Browserker setting Proxy = "http://127.0.0.1:49204"
2021-07-12 02:55:58,459 Adding Browserker setting PluginResourcePath = "/browserker/resources/"
2021-07-12 02:55:58,459 Adding Browserker setting ReportCookiesPath = "/output/cookies.json"
2021-07-12 02:55:58,459 Adding Browserker setting ScanMode = "crawl"
2021-07-12 02:55:58,459 Adding Browserker setting ShowBrowser = false
2021-07-12 02:55:58,459 Adding Browserker setting BrowserWidth = 1300
2021-07-12 02:55:58,459 Adding Browserker setting BrowserHeight = 700
2021-07-12 02:55:58,459 Adding Browserker setting URL = "https://some-redacted-site.ngrok.io"
2021-07-12 02:55:58,459 Adding Browserker setting NavigationTimeout = "15s"
2021-07-12 02:55:58,459 Adding Browserker setting ActionTimeout = "7s"
2021-07-12 02:55:58,459 Adding Browserker setting StabilityTimeout = "7s"
2021-07-12 02:55:58,459 Adding Browserker setting WaitAfterNavigation = "6s"
2021-07-12 02:55:58,459 Adding Browserker setting WaitAfterAction = "800ms"
2021-07-12 02:55:58,459 Adding Browserker setting SearchElementTimeout = "3s"
2021-07-12 02:55:58,459 Adding Browserker setting ExtractElementTimeout = "5s"
2021-07-12 02:55:58,459 Adding Browserker setting ElementTimeout = "300ms"
2021-07-12 02:55:58,459 Adding Browserker setting
2021-07-12 02:55:58,459 Adding Browserker setting [FileLogLevels]
2021-07-12 02:55:58,459 Adding Browserker setting LogLevel = "debug"
2021-07-12 02:55:58,459 Adding Browserker setting
2021-07-12 02:55:58,460 Adding Browserker setting [ConsoleLogLevels]
2021-07-12 02:55:58,460 Adding Browserker setting LogLevel = "info"
2021-07-12 02:55:58,460 Adding Browserker setting
2021-07-12 02:55:58,460 Adding Browserker setting [AuthDetails]
2021-07-12 02:55:58,460 Adding Browserker setting LoginURL = "https://some-redacted-site.ngrok.io/admin/login"
2021-07-12 02:55:58,460 Adding Browserker setting UserName = ********
2021-07-12 02:55:58,460 Adding Browserker setting Password = ********
2021-07-12 02:55:58,460 Adding Browserker setting UserNameField = "admin_user[email]"
2021-07-12 02:55:58,460 Adding Browserker setting PasswordField = "admin_user[password]"
2021-07-12 02:55:58,460 Adding Browserker setting SubmitButtonField = "css:[type=submit], button"
2021-07-12 02:55:58,460 Starting Browserker...
2021-07-12T02:55:58.000 INF MAIN Starting Browserker for Authentication Verification version=v0.0.37
2021-07-12T02:55:58.000 INF MAIN Initializing browser...
2021-07-12T02:55:59.000 INF AUTH Attempting to authenticate
2021-07-12T02:55:59.000 INF AUTH Loading login page LoginURL=https://some-redacted-site.ngrok.io/admin/login
2021-07-12T02:56:37.000 INF AUTH Verifying user login attempt
2021-07-12T02:56:37.000 INF BROWS unable to find selector selector="css:#admin_user\\[email\\], [name=\"admin_user\\[email\\]\"], admin_user[email] or css:#admin_user\\[password\\], [name=\"admin_user\\[password\\]\"], admin_user[password] or css:[type=submit], button"
2021-07-12T02:56:43.000 INF AUTH Login attempt succeeded
2021-07-12T02:56:43.000 INF MAIN Authentication Success
2021-07-12T02:56:43.000 INF MAIN _app_session=********; domain=some-redacted-site.ngrok.io; path=/; expires=1969-12-31 23:59:59 +0000 UTC; HttpOnly
2021-07-12T02:56:43.000 INF AUTH saving cookies to disk report-path=/output/cookies.json
2021-07-12 02:56:43,882 Browserker completed with exit code 0
2021-07-12 02:56:43,905 Requesting access to https://some-redacted-site.ngrok.io...
2021-07-12 02:56:48,925 ReadTimeout: request timed out while waiting for data from server
2021-07-12 02:56:48,925 starting scan
2021-07-12 02:56:48,925 Spider starting with target: https://some-redacted-site.ngrok.io
2021-07-12 02:56:53,939 Spider progress: 10% complete
2021-07-12 02:56:58,948 Spider progress: 37% complete
2021-07-12 02:57:03,956 Spider progress: 43% complete
2021-07-12 02:57:08,965 Spider progress: 50% complete
2021-07-12 02:57:13,973 Spider progress: 43% complete
2021-07-12 02:57:18,979 Spider progress: 62% complete
2021-07-12 02:57:23,987 Spider progress: 65% complete
2021-07-12 02:57:28,996 Spider progress: 75% complete
A certificate created
[zap_server] 3895 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on localhost:8080
[zap_server] 3896 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled
[zap_server] 5081 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New session file created: /app/zap/session/dast.session
[zap_server] 57491 [ZAP-ProxyThread-26] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site 'some-redacted-site.ngrok.io:443': HttpSession [name=auth-session, active=false, tokenValues='']
[zap_server] 57502 [ZAP-ProxyThread-28] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site 'some-redacted-site.ngrok.io:443': HttpSession [name=auth-session, active=true, tokenValues='_app_session=oWoNE3XYdrIr1Myz8P95BW9cH9MBp%2FoRk56W0hKY07UP3NWC2KxLxaawdsDHPQR2VLZxKGQ145uSQMnLfRHyUJMo%2FUT8qnZlyboWrJLV%2FcjjDkMUBrqZ%2BgcX%2FVNKYyBvVp3WN9KxX6ro3B5LJkP%2FvLVo9hYN3OVYmZHddaf1GAc6PrqRxgJK5sSIAKIWUL2asY2fk5KR5LXRlmS%2FcWKQPgB2jOlXpPpfWNx3LWpmMM3UFPoPBg%2F%2Fdoso6fjOf6rPmjw8PHgl75aDRZ33dr58U8vncld0vqcZ3n4%2F3PMg3zT3rszwRROB5sqlnvtEngeCb03uGfYBzuZfozd7BgaeOK66Ct8%2FJtr9920dm27b1QlnGiqhlVlGKASBDOj%2BDEYM3VRKbC0C4Xivj%2BfScN23Oe4vGQAY2QTn--Vw5nTGmf43tRCTdc--yRaRO01KsIaYg3Gz2qkkog%3D%3D']
[zap_server] 62532 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: Target Context at Mon Jul 12 02:56:48 UTC 2021
[zap_server] 62533 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
[zap_server] 62562 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
[zap_server] 67300 [ZAP-ProxyThread-30] WARN org.parosproxy.paros.core.proxy.ProxyThread - Failed to write/forward the HTTP response to the client: java.net.SocketException: Broken pipe (Write failed)
[zap_server] 80284 [ZAP-SpiderThreadPool-0-thread-2] WARN org.zaproxy.zap.spider.URLCanonicalizer - Host could not be reliably evaluated from: http://example.com:80x/ (on base https://some-redacted-site.ngrok.io/assets/active_admin)
[zap_server] 86830 [ZAP-SpiderThreadPool-0-thread-1] WARN org.zaproxy.zap.spider.URLCanonicalizer - Host could not be reliably evaluated from: http://example.com:80x/ (on base https://some-redacted-site.ngrok.io/assets/active_admin.debug-c46198a9e0477f278a2717c82bdec688be869b2e19e3ab5333ba00122432900c.js)
[zap_server] 93995 [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscan.PassiveScanThread - Scanner Information Disclosure - Sensitive Information in URL failed on record 86 from History table: GET https://some-redacted-site.ngrok.io/admin/comments?commit=Filter&order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP
[zap_server] java.lang.NullPointerException
[zap_server] at java.base/java.util.regex.Matcher.getTextLength(Matcher.java:1770)
[zap_server] at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
[zap_server] at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
[zap_server] at java.base/java.util.regex.Pattern.matcher(Pattern.java:1133)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.isCreditCard(InformationDisclosureInUrlScanRule.java:187)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.scanHttpRequestSend(InformationDisclosureInUrlScanRule.java:75)
[zap_server] at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(PassiveScanThread.java:205)
[zap_server] 104263 [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscan.PassiveScanThread - Scanner Information Disclosure - Sensitive Information in URL failed on record 116 from History table: GET https://some-redacted-site.ngrok.io/admin/comments?commit=Filter&order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=all
[zap_server] java.lang.NullPointerException
[zap_server] at java.base/java.util.regex.Matcher.getTextLength(Matcher.java:1770)
[zap_server] at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
[zap_server] at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
[zap_server] at java.base/java.util.regex.Pattern.matcher(Pattern.java:1133)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.isCreditCard(InformationDisclosureInUrlScanRule.java:187)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.scanHttpRequestSend(InformationDisclosureInUrlScanRule.java:75)
[zap_server] at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(PassiveScanThread.java:205)
[zap_server] 104338 [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscan.PassiveScanThread - Scanner Information Disclosure - Sensitive Information in URL failed on record 119 from History table: GET https://some-redacted-site.ngrok.io/admin/comments?commit=Filter&order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=admin
[zap_server] java.lang.NullPointerException
[zap_server] at java.base/java.util.regex.Matcher.getTextLength(Matcher.java:1770)
[zap_server] at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
[zap_server] at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
[zap_server] at java.base/java.util.regex.Pattern.matcher(Pattern.java:1133)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.isCreditCard(InformationDisclosureInUrlScanRule.java:187)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.scanHttpRequestSend(InformationDisclosureInUrlScanRule.java:75)
[zap_server] at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(PassiveScanThread.java:205)
[zap_server] 104354 [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscan.PassiveScanThread - Scanner Information Disclosure - Sensitive Information in URL failed on record 120 from History table: GET https://some-redacted-site.ngrok.io/admin/comments?order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=all
[zap_server] java.lang.NullPointerException
[zap_server] at java.base/java.util.regex.Matcher.getTextLength(Matcher.java:1770)
[zap_server] at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
[zap_server] at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
[zap_server] at java.base/java.util.regex.Pattern.matcher(Pattern.java:1133)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.isCreditCard(InformationDisclosureInUrlScanRule.java:187)
[zap_server] at org.zaproxy.zap.extension.pscanrules.InformationDisclosureInUrlScanRule.scanHttpRequestSend(InformationDisclosureInUrlScanRule.java:75)
[zap_server] at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(PassiveScanThread.java:205)
[zap_server] 104422 [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscan.PassiveScanThread - Scanner Information Disclosure - Sensitive Information in URL failed on record 122 from History table: GET https://some-redacted-site.ngrok.io/admin/comments?order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=admin
[zap_server] java.lang.NullPoint2021-07-12 02:57:34,005 Spider progress: 90% complete
2021-07-12 02:57:39,014 Spider progress: 92% complete
2021-07-12 02:57:44,022 Spider progress: 98% complete
2021-07-12 02:57:49,032 Spider complete
2021-07-12 02:57:49,395 connecting to ZAP database /app/zap/session/dast.session
Jul 12, 2021 2:57:49 AM org.hsqldb.persist.Logger logInfoEvent
INFO: dataFileCache open start
Jul 12, 2021 2:57:49 AM org.hsqldb.persist.Logger logInfoEvent
INFO: dataFileCache open end
Jul 12, 2021 2:57:50 AM org.hsqldb.persist.Logger logInfoEvent
INFO: checkpointClose start
Jul 12, 2021 2:57:50 AM org.hsqldb.persist.Logger logInfoEvent
INFO: checkpointClose synched
Jul 12, 2021 2:57:50 AM org.hsqldb.persist.Logger logInfoEvent
INFO: checkpointClose script done
Jul 12, 2021 2:57:50 AM org.hsqldb.persist.Logger logInfoEvent
INFO: dataFileCache commit start
Jul 12, 2021 2:57:50 AM org.hsqldb.persist.Logger logInfoEvent
INFO: dataFileCache commit end
Jul 12, 2021 2:57:50 AM org.hsqldb.persist.Logger logInfoEvent
INFO: checkpointClose end
2021-07-12 02:57:50,574 The following 71 URLs were scanned:
GET https://some-redacted-site.ngrok.io
GET https://some-redacted-site.ngrok.io/
GET https://some-redacted-site.ngrok.io/admin
GET https://some-redacted-site.ngrok.io/admin/admin_users
GET https://some-redacted-site.ngrok.io/admin/admin_users.csv
GET https://some-redacted-site.ngrok.io/admin/admin_users.csv?order=created_at_asc
GET https://some-redacted-site.ngrok.io/admin/admin_users.csv?order=created_at_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users.csv?order=id_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users.json
GET https://some-redacted-site.ngrok.io/admin/admin_users.json?order=created_at_asc
GET https://some-redacted-site.ngrok.io/admin/admin_users.json?order=created_at_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users.json?order=id_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users.xml
GET https://some-redacted-site.ngrok.io/admin/admin_users.xml?order=created_at_asc
GET https://some-redacted-site.ngrok.io/admin/admin_users.xml?order=created_at_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users.xml?order=id_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users/1
GET https://some-redacted-site.ngrok.io/admin/admin_users/1/edit
GET https://some-redacted-site.ngrok.io/admin/admin_users/batch_action
GET https://some-redacted-site.ngrok.io/admin/admin_users/batch_action?q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP
GET https://some-redacted-site.ngrok.io/admin/admin_users/new
GET https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=created_at_asc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP
GET https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=created_at_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP
GET https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP
GET https://some-redacted-site.ngrok.io/admin/admin_users?order=created_at_asc
GET https://some-redacted-site.ngrok.io/admin/admin_users?order=created_at_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users?order=email_desc
GET https://some-redacted-site.ngrok.io/admin/admin_users?order=id_asc
GET https://some-redacted-site.ngrok.io/admin/admin_users?order=id_desc
GET https://some-redacted-site.ngrok.io/admin/comments
GET https://some-redacted-site.ngrok.io/admin/comments?commit=Filter&order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP
GET https://some-redacted-site.ngrok.io/admin/comments?commit=Filter&order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=admin
GET https://some-redacted-site.ngrok.io/admin/comments?commit=Filter&order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=all
GET https://some-redacted-site.ngrok.io/admin/comments?order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=admin
GET https://some-redacted-site.ngrok.io/admin/comments?order=id_desc&q%5Bauthor_type_eq%5D&q%5Bbody_contains%5D=ZAP&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bnamespace_contains%5D=ZAP&q%5Bresource_type_eq%5D&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP&scope=all
GET https://some-redacted-site.ngrok.io/admin/comments?scope=admin
GET https://some-redacted-site.ngrok.io/admin/comments?scope=all
GET https://some-redacted-site.ngrok.io/admin/dashboard
GET https://some-redacted-site.ngrok.io/admin/login
GET https://some-redacted-site.ngrok.io/admin/logout
GET https://some-redacted-site.ngrok.io/admin/people
GET https://some-redacted-site.ngrok.io/admin/people/batch_action
GET https://some-redacted-site.ngrok.io/admin/people/batch_action?q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bname_contains%5D=ZAP&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP
GET https://some-redacted-site.ngrok.io/admin/people/new
GET https://some-redacted-site.ngrok.io/admin/people?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bname_contains%5D=ZAP&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP
GET https://some-redacted-site.ngrok.io/assets
GET https://some-redacted-site.ngrok.io/assets/active_admin
GET https://some-redacted-site.ngrok.io/assets/active_admin.debug-c46198a9e0477f278a2717c82bdec688be869b2e19e3ab5333ba00122432900c.js
GET https://some-redacted-site.ngrok.io/assets/active_admin.debug-ca1006d2902e1a94876b364f82eeb64a382c82b390be2d9e8475885e1f62eda9.css
GET https://some-redacted-site.ngrok.io/assets/active_admin/print.debug-5625980cec3ade75f9db40b81547ef2cc7a16bee2402a9488ccd564ce556cff9.css
GET https://some-redacted-site.ngrok.io/robots.txt
GET https://some-redacted-site.ngrok.io/sitemap.xml
POST https://some-redacted-site.ngrok.io/admin/admin_users
POST https://some-redacted-site.ngrok.io/admin/admin_users/batch_action
POST https://some-redacted-site.ngrok.io/admin/admin_users/batch_action?q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP
POST https://some-redacted-site.ngrok.io/admin/comments
POST https://some-redacted-site.ngrok.io/admin/login
POST https://some-redacted-site.ngrok.io/admin/people
POST https://some-redacted-site.ngrok.io/admin/people/batch_action
POST https://some-redacted-site.ngrok.io/admin/people/batch_action?q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bname_contains%5D=ZAP&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
WARN: Application Error Disclosure [90022] x 5
https://some-redacted-site.ngrok.io/admin/people/batch_action (500)
https://some-redacted-site.ngrok.io/admin/admin_users/batch_action (500)
https://some-redacted-site.ngrok.io/admin/admin_users/batch_action?q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP (500)
https://some-redacted-site.ngrok.io/admin/people (500)
https://some-redacted-site.ngrok.io/admin/people/batch_action?q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bname_contains%5D=ZAP&q%5Bupdated_at_gteq_datetime%5D=ZAP&q%5Bupdated_at_lteq_datetime%5D=ZAP (500)
SKIP: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Charset Mismatch [90011]
WARN: CSP [10055] x 6
https://some-redacted-site.ngrok.io/ (200)
https://some-redacted-site.ngrok.io/ (200)
https://some-redacted-site.ngrok.io/ (200)
https://some-redacted-site.ngrok.io (200)
https://some-redacted-site.ngrok.io (200)
PASS: Content-Type Header Missing [10019]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Loosely Scoped Cookie [90033]
WARN: Cookie Without SameSite Attribute [10054] x 44
https://some-redacted-site.ngrok.io/admin/login (200)
https://some-redacted-site.ngrok.io/admin/login (302)
https://some-redacted-site.ngrok.io/ (200)
https://some-redacted-site.ngrok.io (200)
https://some-redacted-site.ngrok.io/admin (200)
WARN: Cookie Without Secure Flag [10011] x 44
https://some-redacted-site.ngrok.io/admin/login (200)
https://some-redacted-site.ngrok.io/admin/login (302)
https://some-redacted-site.ngrok.io/ (200)
https://some-redacted-site.ngrok.io (200)
https://some-redacted-site.ngrok.io/admin (200)
PASS: Cross-Domain Misconfiguration [10098]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
WARN: Absence of Anti-CSRF Tokens [10202] x 17
https://some-redacted-site.ngrok.io/admin/admin_users (200)
https://some-redacted-site.ngrok.io/admin/comments (200)
https://some-redacted-site.ngrok.io/admin/people (200)
https://some-redacted-site.ngrok.io/admin/admin_users?order=created_at_desc (200)
https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP (200)
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
SKIP: Information Disclosure - Suspicious Comments [10027]
PASS: Weak Authentication Method [10105]
PASS: Insecure JSF ViewState [90001]
PASS: Secure Pages Include Mixed Content [10040]
SKIP: Timestamp Disclosure [10096]
PASS: Username Hash Found [10057]
PASS: Viewstate [10032]
PASS: X-AspNet-Version Response Header [10061]
WARN: X-Content-Type-Options Header Missing [10021] x 5
https://some-redacted-site.ngrok.io/assets/active_admin.debug-ca1006d2902e1a94876b364f82eeb64a382c82b390be2d9e8475885e1f62eda9.css (200)
https://some-redacted-site.ngrok.io/assets/active_admin/print.debug-5625980cec3ade75f9db40b81547ef2cc7a16bee2402a9488ccd564ce556cff9.css (200)
https://some-redacted-site.ngrok.io/assets/active_admin.debug-c46198a9e0477f278a2717c82bdec688be869b2e19e3ab5333ba00122432900c.js (200)
https://some-redacted-site.ngrok.io/robots.txt (200)
https://some-redacted-site.ngrok.io/assets/active_admin (200)
PASS: X-Debug-Token Information Leak [10056]
SKIP: X-Frame-Options Header [10020]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
SKIP: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
WARN: Content Security Policy (CSP) Header Not Set [10038] x 35
https://some-redacted-site.ngrok.io/admin/login (200)
https://some-redacted-site.ngrok.io/sitemap.xml (404)
https://some-redacted-site.ngrok.io/admin (200)
https://some-redacted-site.ngrok.io/assets (404)
https://some-redacted-site.ngrok.io/admin/dashboard (200)
PASS: Directory Browsing [10033]
PASS: Hash Disclosure [10097]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: Reverse Tabnabbing [10108]
SKIP: Modern Web Application [10109]
PASS: PII Disclosure [10062]
SKIP: Retrieved from Cache [10050]
PASS: HTTP Server Response Header [10036]
SKIP: HTTP Parameter Override [10026]
WARN: Strict-Transport-Security Header [10035] x 54
https://some-redacted-site.ngrok.io/admin/login (200)
https://some-redacted-site.ngrok.io/assets/active_admin.debug-ca1006d2902e1a94876b364f82eeb64a382c82b390be2d9e8475885e1f62eda9.css (200)
https://some-redacted-site.ngrok.io/assets/active_admin/print.debug-5625980cec3ade75f9db40b81547ef2cc7a16bee2402a9488ccd564ce556cff9.css (200)
https://some-redacted-site.ngrok.io/assets/active_admin.debug-c46198a9e0477f278a2717c82bdec688be869b2e19e3ab5333ba00122432900c.js (200)
https://some-redacted-site.ngrok.io/robots.txt (200)
PASS: User Controllable Charset [10030]
PASS: Cookie Poisoning [10029]
WARN: User Controllable HTML Element Attribute (Potential XSS) [10031] x 60
https://some-redacted-site.ngrok.io/admin/admin_users?order=created_at_desc (200)
https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP (200)
https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP (200)
https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP (200)
https://some-redacted-site.ngrok.io/admin/admin_users?commit=Filter&order=id_desc&q%5Bcreated_at_gteq_datetime%5D=ZAP&q%5Bcreated_at_lteq_datetime%5D=ZAP&q%5Bemail_contains%5D=ZAP (200)
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Open Redirect [10028]
PASS: X-Backend-Server Header Information Leak [10039]
SKIP: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Vulnerable JS Library [10003]
SUMMARY - PASS: 35 | WARN: 9 | SKIP: 9
section_end:1626058670:step_script
[0Ksection_start:1626058670:upload_artifacts_on_success
[0K[0K[36;1mUploading artifacts for successful job[0;m
[0;m[32;1mUploading artifacts...[0;m
gl-dast-report.json: found 1 matching files and directories[0;m
Uploading artifacts as "dast" to coordinator... ok[0;m id[0;m=122 responseStatus[0;m=201 Created token[0;m=Z6wjjbgU
section_end:1626058672:upload_artifacts_on_success
[0K[32;1mJob succeeded
[0;mDoes this MR meet the acceptance criteria?
Conformity
-
I have included changelog trailers, or none are needed. (Does this MR need a changelog?) -
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) -
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. -
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Philip Cunningham