Bring DAST.latest.gitlab-ci.yml inline with DAST.gitlab-ci.yml
What does this MR do and why?
In !63382 (merged) the DAST.gitlab-ci.yml template was updated but DAST.latest.gitlab-ci.yml was not. The purpose of DAST.latest.gitlab-ci.yml is to add new configurations or breaking changes before a major release, therefore it should always be inline or ahead of DAST.gitlab-ci.yml.
This MR brings the two templates back inline and by doing that re-adds the rule
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdast\b/This was originally removed to allow DAST still to run (and error with an appropriate error message) when a user is not licensed to use DAST.
This change will be addressed in #364371.
Job output.
[0KRunning with gitlab-runner 15.0.0 (febb2a09)[0;m
[0K on review-craigmsmit-i0m869-gitlab-runner-74b85767bf-rc26k Cm4EGjCN[0;m
section_start:1654478985:resolve_secrets
[0K[0K[36;1mResolving secrets[0;m[0;m
section_end:1654478985:resolve_secrets
[0Ksection_start:1654478985:prepare_executor
[0K[0K[36;1mPreparing the "kubernetes" executor[0;m[0;m
[0KUsing Kubernetes namespace: review-craigmsmit-i0m869[0;m
[0KUsing Kubernetes executor with image registry.gitlab.com/security-products/dast:3 ...[0;m
[0KUsing attach strategy to execute scripts...[0;m
section_end:1654478985:prepare_executor
[0Ksection_start:1654478985:prepare_script
[0K[0K[36;1mPreparing environment[0;m[0;m
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotInitialized: "containers with incomplete status: [init-permissions]"
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-craigmsmit-i0m869/runner-cm4egjcn-project-91-concurrent-06d4xv to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-cm4egjcn-project-91-concurrent-06d4xv via review-craigmsmit-i0m869-gitlab-runner-74b85767bf-rc26k...
section_end:1654479033:prepare_script
[0Ksection_start:1654479033:get_sources
[0K[0K[36;1mGetting source from Git repository[0;m[0;m
[32;1mSkipping Git repository setup[0;m
[32;1mSkipping Git checkout[0;m
[32;1mSkipping Git submodules setup[0;m
section_end:1654479034:get_sources
[0Ksection_start:1654479034:step_script
[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m[0;m
[32;1m$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}[0;m
[32;1m$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi[0;m
[32;1m$ /analyze[0;m
2022-06-06 01:30:34,771 Running DAST v3.0.5 on Python 3.9.10 (main, Jan 16 2022, 17:12:18) [GCC 11.2.0]
2022-06-06 01:30:34,772 Starting the ZAP Server
2022-06-06 01:30:34,772 Running ZAP with parameters ['/zap/zap.sh', '-daemon', '-config', 'proxy.reverseProxy.use=1', '-config', 'proxy.reverseProxy.ip=0.0.0.0', '-config', 'proxy.reverseProxy.httpPort=58662', '-dir', '/app/zap', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent']
2022-06-06 01:30:34,777 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:35,787 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:36,793 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:37,800 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:38,807 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:39,814 looking for ZAP at http://127.0.0.1:58662...
[zap_server] Found Java version 11.0.15
[zap_server] Available memory: 64321 MB
[zap_server] Using JVM args: -Xmx16080m
[zap_server] 949 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /app/zap/config.xml
[zap_server] 1185 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2022-01-04 started 06/06/2022, 01:30:36 with home /app/zap/
[zap_server] 1215 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config proxy.reverseProxy.use = 1 was null
[zap_server] 1216 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config proxy.reverseProxy.ip = 0.0.0.0 was null
[zap_server] 1217 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config proxy.reverseProxy.httpPort = 58662 was null
[zap_server] 1217 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
[zap_server] 1217 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
[zap_server] 1217 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
[zap_server] 1218 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null
[zap_server] 1218 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null
[zap_server] 1224 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
[zap_server] 1225 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
[zap_server] 1302 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
[zap_server] 1306 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
[zap_server] 3923 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=13.0.0], [id=ascanrules, version=46.0.0], [id=ascanrulesBeta, version=40.0.0], [id=automation, version=0.15.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.3.0], [id=commonlib, version=1.9.0], [id=coreLang, version=15.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.1.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.6.0], [id=fuzzdb, version=8.0.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.9.0], [id=help, version=15.0.0], [id=hud, version=0.13.0], [id=importurls, version=9.0.0], [id=invoke, version=11.0.0], [id=network, version=0.2.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=27.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=40.0.0], [id=pscanrulesBeta, version=29.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.12.0], [id=retest, version=0.2.0], [id=retire, version=0.11.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.8.0], [id=sequence, version=7.0.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=38.0.0], [id=webdrivermacos, version=35.0.0], [id=webdriverwindows, version=35.0.0], [id=websocket, version=25.0.0], [id=zest, version=35.0.0]]
[zap_server] 3925 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
[zap_server] 4853 [ZAP-daemon] INFO org.zaproxy.addon.network.internal.TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]
[zap_server] 4946 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
[zap_server] Jun 06, 2022 1:30:39 AM java.util.prefs.FileSystemPreferences$1 run
[zap_server] INFO: Created user preferences directory.
[zap_server] 5338 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
[zap_server] 5341 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
[zap_server] 5341 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
[zap_server] 5341 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
[zap_server] 5350 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
[zap_server] 5351 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
[zap_server] 5352 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
[zap_server] 5353 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
[zap_server] 5354 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
[zap_server] 5356 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
[zap_server] 5411 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
[zap_server] 5412 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
[zap_server] 5412 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
[zap_server] 5412 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header
[zap_server] 5412 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
[zap_server] 5412 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute
[zap_server] 5413 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
[zap_server] 5414 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
[zap_server] 5415 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
[zap_server] 5415 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
[zap_server] 5416 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
[zap_server] 5416 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
[zap_server] 5416 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
[zap_server] 5416 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
[zap_server] 5416 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
[zap_server] 5416 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
[zap_server] 5417 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
[zap_server] 5417 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
[zap_server] 5417 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
[zap_server] 5418 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
[zap_server] 5418 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
[zap_server] 5418 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
[zap_server] 5418 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
[zap_server] 5418 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
[zap_server] 5419 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
[zap_server] 5420 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
[zap_server] 5420 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
[zap_server] 5420 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
[zap_server] 5420 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
[zap_server] 5421 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
[zap_server] 5421 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
[zap_server] 5421 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
[zap_server] 5421 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
[zap_server] 5436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
[zap_server] 5438 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
[zap_server] 5444 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence
[zap_server] 5445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
[zap_server] 5450 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
[zap_server] 5450 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
[zap_server] 5451 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner
[zap_server] 5452 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
[zap_server] 5452 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
[zap_server] 5452 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
[zap_server] 5453 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
[zap_server] 5456 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
[zap_server] 5474 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
[zap_server] 5476 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
[zap_server] 5476 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
[zap_server] 5479 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
[zap_server] 5480 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
[zap_server] 5484 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
[zap_server] 5615 [ZAP-daemon] INFO org.parosproxy.paros.extension.Ex
tensionLoader - Initializing Forced User Extension
[zap_server] 5615 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
[zap_server] 5617 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
[zap_server] 5795 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
[zap_server] 5796 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
[zap_server] 5796 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
[zap_server] 5796 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration
[zap_server] 5797 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
[zap_server] 5805 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
[zap_server] 5806 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
[zap_server] 5806 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
[zap_server] 5827 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
[zap_server] 5829 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
[zap_server] 5830 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
[zap_server] 5830 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
[zap_server] 5831 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
[zap_server] 5832 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
[zap_server] 5841 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
[zap_server] 5842 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.
[zap_server] 5844 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
[zap_server] 5844 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
[zap_server] 5844 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
[zap_server] 5844 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides core networking capabilities.
[zap_server] 5855 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
[zap_server] 5855 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
[zap_server] 5855 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
[zap_server] 5855 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
[zap_server] 5855 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel L2022-06-06 01:30:40,821 looking for ZAP at http://127.0.0.1:58662...
arge Request View Extension
[zap_server] 5856 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
[zap_server] 5856 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
[zap_server] 5857 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
[zap_server] 5857 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
[zap_server] 5857 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
[zap_server] 5861 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
[zap_server] 5862 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
[zap_server] 5863 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Definition
[zap_server] 5864 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
[zap_server] 5864 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Generation
[zap_server] 5866 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Generation Automation Integration
[zap_server] 5872 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
[zap_server] 5872 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing SOAP Automation Framework Integration
[zap_server] 5875 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files
[zap_server] 5875 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
[zap_server] 5875 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Retest add-on allows to verify the presence/absence of certain alerts.
[zap_server] 5876 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
[zap_server] 5878 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
[zap_server] 5878 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Ajax Spider Automation Framework Integration
[zap_server] 5881 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.
[zap_server] 6166 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
[zap_server] 6169 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
[zap_server] 6173 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles all of the calls to ZAP services
[zap_server] 6173 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
[zap_server] 6174 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
[zap_server] 6174 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing DOM XSS Active Scan Rule
[zap_server] 6248 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
[zap_server] 6248 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
[zap_server] 6251 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OpenAPI Automation Framew
2022-06-06 01:30:41,828 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:42,834 looking for ZAP at http://127.0.0.1:58662...
2022-06-06 01:30:42,900 connected to ZAP with version D-2022-01-04
2022-06-06 01:30:43,736 Using scan target https://google-gruyere.appspot.com/564959828417281418006207909483102970029/
2022-06-06 01:30:43,772 Waiting for https://google-gruyere.appspot.com/564959828417281418006207909483102970029/ to be available
2022-06-06 01:30:43,772 Requesting access to https://google-gruyere.appspot.com/564959828417281418006207909483102970029/...
2022-06-06 01:30:44,038 Requesting access to https://google-gruyere.appspot.com/564959828417281418006207909483102970029/...
2022-06-06 01:30:44,648 starting scan
2022-06-06 01:30:44,648 Spider starting with target: https://google-gruyere.appspot.com/564959828417281418006207909483102970029/
ork Integration
[zap_server] 6253 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
[zap_server] 6254 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled
[zap_server] 6254 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
[zap_server] 6254 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
[zap_server] 6254 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
[zap_server] 6255 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripts Automation
[zap_server] 6259 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
[zap_server] 6260 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
[zap_server] 6261 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Alert Filters Automation Framework Integration
[zap_server] 6263 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.
[zap_server] 6265 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing GraphQL Automation Framework Integration
[zap_server] 6266 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
[zap_server] 6313 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
[zap_server] 6314 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOast
[zap_server] 6318 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds OAST scripts.
[zap_server] 6319 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Import and Export functionality supporting multiple formats.
[zap_server] 6319 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Import/Export Automation Framework Integration
[zap_server] 6321 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
[zap_server] 6321 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides functionality to simplify using ZAP in an automated manner
[zap_server] 6322 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta
[zap_server] 6322 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
[zap_server] 6322 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing org.zaproxy.addon.commonlib.ExtensionCommonlib
[zap_server] 6535 [ZAP-daemon] INFO org.zaproxy.addon.oast.services.callback.CallbackService - Started callback service on 0.0.0.0:35207
[zap_server] 6537 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - Creating new root CA certificate.
[zap_server] 7376 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New root CA certificate created.
[zap_server] 7401 [ZAP-daemon] INFO org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
[zap_server] 7402 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on localhost:8080
[zap_server] 7403 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled
[zap_server] 7972 [ZAP-ProxyThread-2] INFO org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
[zap_server] 8557 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New session file created: /app/zap/session/dast.session
[zap_server] 9716 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension
2022-06-06 01:30:49,683 Spider complete
2022-06-06 01:30:52,197 connecting to ZAP database /app/zap/session/dast.session
2022-06-06 01:30:53,573 The following 93 URLs were scanned:
GET https://google-gruyere.appspot.com
GET https://google-gruyere.appspot.com/
GET https://google-gruyere.appspot.com/0
GET https://google-gruyere.appspot.com/1
GET https://google-gruyere.appspot.com/2
GET https://google-gruyere.appspot.com/3
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/lib.js
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/login
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/login?pw=ZAP&uid=ZAP
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/newaccount.gtl
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/snippets.gtl?uid=brie
GET https://google-gruyere.appspot.com/388167577584617422863891768023458118371/snippets.gtl?uid=cheddar
GET https://google-gruyere.appspot.com/4
GET https://google-gruyere.appspot.com/5
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/editprofile.gtl
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/lib.js
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login?pw=ZAP&uid=ZAP
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/logout
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/newaccount.gtl
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/newsnippet.gtl
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/newsnippet2?snippet
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/saveprofile?action=update&color=%23ffffff&icon=ZAP&name=ZAP&oldpw=ZAP&private_snippet&pw=ZAP&web_site=ZAP
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/snippets.gtl
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/snippets.gtl?uid=brie
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/snippets.gtl?uid=cheddar
GET https://google-gruyere.appspot.com/564959828417281418006207909483102970029/upload.gtl
GET https://google-gruyere.appspot.com/6
GET https://google-gruyere.appspot.com/7
GET https://google-gruyere.appspot.com/8
GET https://google-gruyere.appspot.com/9
GET https://google-gruyere.appspot.com/code/
GET https://google-gruyere.appspot.com/code/?data.py
GET https://google-gruyere.appspot.com/code/?gruyere.py
GET https://google-gruyere.appspot.com/code/?gtl.py
GET https://google-gruyere.appspot.com/code/?resoources/dump.gtl
GET https://google-gruyere.appspot.com/code/?resources/dump.gtl
GET https://google-gruyere.appspot.com/code/?resources/editprofile.gtl
GET https://google-gruyere.appspot.com/code/?resources/error.gtl
GET https://google-gruyere.appspot.com/code/?resources/feed.gtl
GET https://google-gruyere.appspot.com/code/?resources/home.gtl
GET https://google-gruyere.appspot.com/code/?resources/manage.gtl
GET https://google-gruyere.appspot.com/code/?resources/menubar.gtl
GET https://google-gruyere.appspot.com/code/?sanitize.py
GET https://google-gruyere.appspot.com/code/data.py
GET https://google-gruyere.appspot.com/code/gruyere.py
GET https://google-gruyere.appspot.com/code/gtl.py
GET https://google-gruyere.appspot.com/code/resources/base.css
GET https://google-gruyere.appspot.com/code/resources/dump.gtl
GET https://google-gruyere.appspot.com/code/resources/editprofile.gtl
GET https://google-gruyere.appspot.com/code/resources/error.gtl
GET https://google-gruyere.appspot.com/code/resources/feed.gtl
GET https://google-gruyere.appspot.com/code/resources/home.gtl
GET https://google-gruyere.appspot.com/code/resources/lib.js
GET https://google-gruyere.appspot.com/code/resources/login.gtl
GET https://google-gruyere.appspot.com/code/resources/manage.gtl
GET https://google-gruyere.appspot.com/code/resources/menubar.gtl
GET https://google-gruyere.appspot.com/code/resources/newaccount.gtl
GET https://google-gruyere.appspot.com/code/resources/newsnippet.gtl
GET https://google-gruyere.appspot.com/code/resources/showprofile.gtl
GET https://google-gruyere.appspot.com/code/resources/snippets.gtl
GET https://google-gruyere.appspot.com/code/resources/upload.gtl
GET https://google-gruyere.appspot.com/code/resources/upload2.gtl
GET https://google-gruyere.appspot.com/code/sanitize.py
GET https://google-gruyere.appspot.com/code/secret.txt
GET https://google-gruyere.appspot.com/gruyere-code.zip
GET https://google-gruyere.appspot.com/part1
GET https://google-gruyere.appspot.com/part2
GET https://google-gruyere.appspot.com/part3
GET https://google-gruyere.appspot.com/part4
GET https://google-gruyere.appspot.com/part5
GET https://google-gruyere.appspot.com/resetbutton
GET https://google-gruyere.appspot.com/robots.txt
GET https://google-gruyere.appspot.com/sitemap.xml
GET https://google-gruyere.appspot.com/start
GET https://google-gruyere.appspot.com/static/cheese_b.png
GET https://google-gruyere.appspot.com/static/cheese_bw.png
GET https://google-gruyere.appspot.com/static/cheese_w.png
GET https://google-gruyere.appspot.com/static/closed.gif
GET https://google-gruyere.appspot.com/static/codeindex.html
GET https://google-gruyere.appspot.com/static/codeindex/html
GET https://google-gruyere.appspot.com/static/codelab.css
GET https://google-gruyere.appspot.com/static/gruyere-40.png
GET https://google-gruyere.appspot.com/static/gruyere-78.png
GET https://google-gruyere.appspot.com/static/gruyere-badge.png
GET https://google-gruyere.appspot.com/static/gruyere.png
POST https://google-gruyere.appspot.com/564959828417281418006207909483102970029/upload2
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: WSDL File Detection [90030]
SKIP: Anti-clickjacking Header [10020]
PASS: Application Error Disclosure [90022]
SKIP: Re-examine Cache-control Directives [10015]
WARN: Charset Mismatch [90011] x 7
https://google-gruyere.appspot.com (200)
https://google-gruyere.appspot.com/ (200)
https://google-gruyere.appspot.com/part1 (200)
https://google-gruyere.appspot.com/part3 (200)
https://google-gruyere.appspot.com/part2 (200)
WARN: Content Security Policy (CSP) Header Not Set [10038] x 75
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/ (200)
https://google-gruyere.appspot.com (200)
https://google-gruyere.appspot.com/0 (200)
https://google-gruyere.appspot.com/1 (200)
https://google-gruyere.appspot.com/2 (200)
PASS: CSP [10055]
PASS: Content-Type Header Missing [10019]
WARN: Cookie No HttpOnly Flag [10010] x 4
https://google-gruyere.appspot.com/start (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login?pw=ZAP&uid=ZAP (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/logout (200)
https://google-gruyere.appspot.com/388167577584617422863891768023458118371/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP (200)
PASS: Loosely Scoped Cookie [90033]
WARN: Cookie without SameSite Attribute [10054] x 4
https://google-gruyere.appspot.com/start (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login?pw=ZAP&uid=ZAP (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/logout (200)
https://google-gruyere.appspot.com/388167577584617422863891768023458118371/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP (200)
WARN: Cookie Without Secure Flag [10011] x 4
https://google-gruyere.appspot.com/start (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login?pw=ZAP&uid=ZAP (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/logout (200)
https://google-gruyere.appspot.com/388167577584617422863891768023458118371/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP (200)
PASS: Cross-Domain Misconfiguration [10098]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
WARN: Absence of Anti-CSRF Tokens [10202] x 8
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/newaccount.gtl (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/newsnippet.gtl (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/upload.gtl (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/editprofile.gtl (200)
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
SKIP: Information Disclosure - Suspicious Comments [10027]
PASS: Weak Authentication Method [10105]
PASS: Insecure JSF ViewState [90001]
PASS: Secure Pages Include Mixed Content [10040]
SKIP: Timestamp Disclosure [10096]
PASS: Username Hash Found [10057]
PASS: Viewstate [10032]
PASS: X-AspNet-Version Response Header [10061]
WARN: X-Content-Type-Options Header Missing [10021] x 87
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/ (200)
https://google-gruyere.appspot.com/robots.txt (200)
https://google-gruyere.appspot.com (200)
https://google-gruyere.appspot.com/0 (200)
https://google-gruyere.appspot.com/1 (200)
PASS: X-Debug-Token Information Leak [10056]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
SKIP: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Directory Browsing [10033]
PASS: Hash Disclosure [10097]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: Reverse Tabnabbing [10108]
SKIP: Modern Web Application [10109]
PASS: PII Disclosure [10062]
SKIP: Retrieved from Cache [10050]
PASS: HTTP Server Response Header [10036]
SKIP: HTTP Parameter Override [10026]
WARN: Strict-Transport-Security Header [10035] x 90
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/ (200)
https://google-gruyere.appspot.com/robots.txt (200)
https://google-gruyere.appspot.com/sitemap.xml (404)
https://google-gruyere.appspot.com (200)
https://google-gruyere.appspot.com/0 (200)
PASS: User Controllable Charset [10030]
WARN: Cookie Poisoning [10029] x 4
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login?pw=ZAP&uid=ZAP (200)
https://google-gruyere.appspot.com/564959828417281418006207909483102970029/login?pw=ZAP&uid=ZAP (200)
https://google-gruyere.appspot.com/388167577584617422863891768023458118371/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP (200)
https://google-gruyere.appspot.com/388167577584617422863891768023458118371/saveprofile?action=new&is_author=True&pw=ZAP&uid=ZAP (200)
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Open Redirect [10028]
PASS: X-Backend-Server Header Information Leak [10039]
SKIP: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Vulnerable JS Library [10003]
SUMMARY - PASS: 36 | WARN: 9 | SKIP: 9
section_end:1654479054:step_script
[0K.spider.SpiderThread - Starting spidering scan on Context: Target Context at 2022-06-06T01:30:44.663+0000
[zap_server] 9719 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
[zap_server] 9747 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
[zap_server] 13538 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
[zap_server] 13540 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true on Context: Target Context at 2022-06-06T01:30:48.487+0000
section_start:1654479054:upload_artifacts_on_success
[0K[0K[36;1mUploading artifacts for successful job[0;m[0;m
[32;1mUploading artifacts...[0;m
gl-dast-report.json: found 1 matching files and directories[0;m
Uploading artifacts as "dast" to coordinator... 201 Created[0;m id[0;m=50 responseStatus[0;m=201 Created token[0;m=sKmavyqw
section_end:1654479056:upload_artifacts_on_success
[0Ksection_start:1654479056:cleanup_file_variables
[0K[0K[36;1mCleaning up project directory and file based variables[0;m[0;m
section_end:1654479056:cleanup_file_variables
[0K[32;1mJob succeeded[0;mEdited by Craig Smith