Use DAST_API_SPECIFICATION not DAST_API_OPENAPI

What does this MR do and why?

we discovered that DAST_API_OPENAPI causes an issue when running both dast and dast-api. this merge request replaces the use of DAST_API_OPENAPI with DAST_API_SPECIFICATION for on-demand dast scans, allowing us run both analyzers in the same pipeline. this is safe to merge now that this merge request has been released.

Manual QA

1. open review app
2. create a new project, initialising it with a README
3. create a new on demand scan (security & compliance > on-demand scans) using https://petstore.swagger.io/v2/swagger.json
4. save and run scan

Output

Running with gitlab-runner 15.1.0 (76984217)
  on review-philipcunn-45wosp-gitlab-runner-5d6f476d46-c22zw sCwBsNcA
Resolving secrets 00:00
Preparing the "kubernetes" executor 00:00
Using Kubernetes namespace: review-philipcunn-45wosp
Using Kubernetes executor with image registry.gitlab.com/security-products/dast:3 ...
Using attach strategy to execute scripts...
Preparing environment
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotInitialized: "containers with incomplete status: [init-permissions]"
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-scwbsnca-project-195-concurrent-0bxg55 via review-philipcunn-45wosp-gitlab-runner-5d6f476d46-c22zw...
Getting source from Git repository 00:00
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:18
$ /analyze
2022-08-16 01:15:45,406 Running DAST v3.0.22 on Python 3.10.5 (main, Jun  8 2022, 09:26:22) [GCC 11.3.0]
2022-08-16 01:15:45,406 writing zap log configuration
2022-08-16 01:15:45,406 Starting the ZAP Server
2022-08-16 01:15:45,407 Running ZAP with parameters ['/zap/zap.sh', '-daemon', '-host', '0.0.0.0', '-port', '44172', '-dir', '/app/zap', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent']
2022-08-16 01:15:45,407 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:45,413 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:46,414 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:46,420 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:47,422 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:47,426 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:48,428 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:48,433 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:49,434 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:49,440 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:50,442 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:50,448 Starting new HTTP connection (1): 127.0.0.1:44172
[zap_server] Found Java version 11.0.16
[zap_server] Available memory: 64319 MB
[zap_server] Using JVM args: -Xmx16079m
[zap_server] 733 [main] INFO  org.parosproxy.paros.Constant - Copying default configuration to /app/zap/config.xml
[zap_server] 939 [main] INFO  org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2022-08-08 started 16/08/2022, 01:15:46 with home /app/zap/
[zap_server] 965 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
[zap_server] 966 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
[zap_server] 966 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
[zap_server] 966 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null
[zap_server] 967 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null
[zap_server] 3677 [ZAP-daemon] INFO  org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=13.0.0], [id=ascanrules, version=46.0.0], [id=ascanrulesBeta, version=41.0.0], [id=automation, version=0.16.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.4.0], [id=commonlib, version=1.9.0], [id=coreLang, version=16.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.2.0], [id=formhandler, version=5.0.0], [id=fuzz, version=13.6.0], [id=fuzzdb, version=8.0.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.9.0], [id=help, version=15.0.0], [id=hud, version=0.13.0], [id=invoke, version=11.0.0], [id=network, version=0.3.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=27.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=42.0.0], [id=pscanrulesBeta, version=29.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.15.0], [id=requester, version=7.0.0], [id=retest, version=0.2.0], [id=retire, version=0.12.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.9.0], [id=sequence, version=7.0.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=41.0.0], [id=webdrivermacos, version=44.0.0], [id=webdriverwindows, version=43.0.0], [id=websocket, version=26.0.0], [id=zest, version=35.0.0]]
[zap_server] 3678 [ZAP-daemon] INFO  org.zaproxy.zap.control.ExtensionFactory - Loading extensions
[zap_server] 4490 [ZAP-daemon] INFO  org.zaproxy.addon.network.internal.TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]
[zap_server] 4800 [ZAP-daemon] INFO  org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
[zap_server] Aug 16, 2022 1:15:50 AM java.util.prefs.FileSystemPreferences$1 run
[zap_server] INFO: Created user preferences directory.
[zap_server] 5193 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Auto-update Extension - Allows ZAP to check for updates
[zap_server] 5195 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension - Options Extension
[zap_server] 5195 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension - Edit Menu Extension
[zap_server] 5195 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing API Extension - Provides a rest based API for controlling and accessing ZAP
[zap_server] 5201 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension - History Extension
[zap_server] 5203 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReveal - Show hidden fields and enable disabled fields
[zap_server] 5203 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Search Extension - Search messages for strings and regular expressions
[zap_server] 5204 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Breakpoint Extension - Allows you to intercept and modify requests and responses
[zap_server] 5205 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Extension - Passive scanner
[zap_server] 5252 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
[zap_server] 5252 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
[zap_server] 5253 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
[zap_server] 5254 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
[zap_server] 5255 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
[zap_server] 5255 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
[zap_server] 5255 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
[zap_server] 5255 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
[zap_server] 5255 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
[zap_server] 5255 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
[zap_server] 5256 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
[zap_server] 5256 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
[zap_server] 5256 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
[zap_server] 5256 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
[zap_server] 5256 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
[zap_server] 5256 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
[zap_server] 5257 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
[zap_server] 5257 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
[zap_server] 5257 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
[zap_server] 5257 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
[zap_server] 5257 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
[zap_server] 5257 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
[zap_server] 5258 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
[zap_server] 5259 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
[zap_server] 5260 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan 
- loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
[zap_server] 5260 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
[zap_server] 5260 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
[zap_server] 5278 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Alerts Extension - Allows you to view and manage alerts
[zap_server] 5280 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Extension - Active scanner, heavily based on the original Paros active scanner, but with additional tests added
[zap_server] 5285 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence - ExtensionSequence
[zap_server] 5286 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider Extension - Spider used for automatically finding URIs on a site
[zap_server] 5290 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Standard Menus Extension - A set of common popup menus for miscellaneous tasks
[zap_server] 5290 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionBruteForce - Forced browsing of files and directories using code from the OWASP DirBuster tool
[zap_server] 5291 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionPortScan - Simple but effective port scanner
[zap_server] 5292 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension - Manual Request Editor Extension
[zap_server] 5292 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Compare Extension - Compares 2 sessions and generates an HTML file showing the differences
[zap_server] 5293 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionInvoke - Invoke external applications passing context related information such as URLs and parameters
[zap_server] 5293 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Anti-CSRF Extension - Handles anti cross site request forgery (CSRF) tokens
[zap_server] 5296 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension - Authentication Extension
[zap_server] 5311 [ZAP-daemon] INFO  org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
[zap_server] 5313 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Log4j Extension - Logs errors to the Output tab in development mode only
[zap_server] 5314 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension - Users Extension
[zap_server] 5316 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Parameters Extension - Summarise and analyse FORM and URL parameters as well as cookies
[zap_server] 5318 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Script Extension - Script integration
[zap_server] 5321 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionScripts - Scripting console, supports all JSR 223 scripting languages
[zap_server] 5457 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension - Forced User Extension
[zap_server] 5458 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Sessions Extension - Extension handling HTTP sessions
[zap_server] 5460 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionZest - Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
[zap_server] 5624 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff - ExtensionDiff
[zap_server] 5624 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension - HTTP Panel Post Table View Extension
[zap_server] 5624 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Encoder Addon - Adds support for scriptable encoders to ZAP.
[zap_server] 5625 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionPlugNHack - Simple browser configuration
[zap_server] 5625 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension - Session Management Extension
[zap_server] 5631 [ZAP-daemon] INFO  org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
[zap_server] 5632 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension - HTTP Panel Form Table View Extension
[zap_server] 5632 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing WebSockets Support - Capture messages from WebSockets with the ability to set breakpoints.
[zap_server] 5654 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionImportWSDL - Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
[zap_server] 5655 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI Extension - Core UI related functionality.
[zap_server] 5655 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension - Authorization Extension
[zap_server] 5655 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Requester - Multi-tab manual request editor interface
[zap_server] 5656 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSpiderAjax - AJAX Spider, uses Crawljax
[zap_server] 5657 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing WebDriver Provider - Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
[zap_server] 5662 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAccessControl - Add-on that adds a set of tools for testing access control in web applications.
[zap_server] 5663 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Global Exclude URLs Extension - Handles adding Global Excluded URLs
[zap_server] 5663 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Refresh Sites Tree Extension - Adds menu item to refresh the Sites tree
[zap_server] 5663 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Help Extension - OWASP ZAP User Guide
[zap_server] 5663 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Call Home - Handles all of the calls to ZAP services
[zap_server] 5664 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Network Extension - Provides core networking capabilities.
[zap_server] 5685 [ZAP-daemon] INFO  org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
[zap_server] 5685 [ZAP-daemon] INFO  org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
[zap_server] 5686 [ZAP-daemon] INFO  org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
[zap_server] 5687 [ZAP-daemon] INFO  org.zaproxy.addon.network.ConnectionOptions - Unsafe SSL/TLS renegotiation disabled.
[zap_server] 5688 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension Configuration Extension - Allows you to configure which extensions are loaded when ZAP starts
[zap_server] 5688 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension - Combined HTTP Panels Extension
[zap_server] 5688 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension - HTTP Panel Hex View Extension
[zap_server] 5688 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension - HTTP Panel Image View Extension
[zap_server] 5689 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension - HTTP Panel Query Table View Extension
[zap_server] 5689 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension - HTTP Panel Syntax Highlighter View Extension
[zap_server] 5689 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Keyboard Configuration Extension - Adds support for configurable keyboard shortcuts for all of the ZAP menus.
[zap_server] 5689 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Scanner Rule Configuration Extension - Active and passive rule configuration
[zap_server] 5692 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics Extension - Statistics
[zap_server] 5693 [ZAP-daemon] INFO  org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
[zap_server] 5694 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Extension - Custom Pages Definition
[zap_server] 5694 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOnlineMenu - The Online menu links
[zap_server] 5694 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Advance Fuzzer - Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
[zap_server] 5695 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing org.zaproxy.zap.extension.fuzz.httpfuzzer.ExtensionHttpFuzzer - Allows to fuzz HTTP messages.
[zap_server] 5696 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripts Automation Framework Integration - Scripts Automation
[zap_server] 5705 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAlertFilters - Context alert rules filter
[zap_server] 5707 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Alert Filters Automation - Alert Filters Automation Framework Integration
[zap_server] 5710 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionGraphQl - Allows you to inspect and attack GraphQL endpoints.
[zap_server] 5714 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing GraphQL Automation - GraphQL Automation Framework Integration
[zap_server] 5715 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOast - ExtensionOast
[zap_server] 5720 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOastScripts - Adds OAST scripts.
[zap_server] 5721 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Automation Framework - Provides functionality to simplify using ZAP in an automated manner
[zap_server] 5722 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionTipsAndTricks - Tips and Tricks
[zap_server] 5722 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAscanRulesBeta - Beta status active scan rules
[zap_server] 5722 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Generator - Templated and themed report generation functionality
[zap_server] 5724 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Generat
2022-08-16 01:15:51,450 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:51,455 Starting new HTTP connection (1): 127.0.0.1:44172
ion Automation Integration - Report Generation Automation Integration
[zap_server] 5727 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start panel  - Adds the Quick Start panel for scanning and exploring applications
[zap_server] 5728 [ZAP-daemon] INFO  org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled
[zap_server] 5728 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start Ajax Spider integration - Add the option to use the Ajax Spider in the Quick Start scan
[zap_server] 5728 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start HUD integration - Launch browsers proxying through ZAP
[zap_server] 5728 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionQuickStartLaunch - Launch browsers proxying through ZAP
[zap_server] 5729 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - Release status passive scan rules
[zap_server] 5729 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDomXSS - DOM XSS Active Scan Rule
[zap_server] 5799 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing org.zaproxy.addon.commonlib.ExtensionCommonlib - org.zaproxy.addon.commonlib.ExtensionCommonlib
[zap_server] 5800 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage - ExtensionSaveRawHttpMessage
[zap_server] 5800 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionPscanRulesBeta - Passive Scan Rules - beta
[zap_server] 5801 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOpenApi - Allows you to spider and import OpenAPI (Swagger) definitions 
[zap_server] 5803 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing OpenAPI Automation - OpenAPI Automation Framework Integration
[zap_server] 5805 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage - ExtensionSaveXMLHttpMessage
[zap_server] 5805 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAscanRules - Active Scan Rules
[zap_server] 5806 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Ajax Spider Automation - Ajax Spider Automation Framework Integration
[zap_server] 5808 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionCoreLang - Translations of the core language files
[zap_server] 5808 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing WebSocket Fuzzer - Allows to fuzz WebSocket messages.
[zap_server] 5808 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionGettingStarted - The ZAP Getting Started Guide
[zap_server] 5809 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUD - Heads Up Display
[zap_server] 5844 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch - ExtensionHUDlaunch
[zap_server] 5845 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing SOAP Automation - SOAP Automation Framework Integration
[zap_server] 5848 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionRetest - The Retest add-on allows to verify the presence/absence of certain alerts.
[zap_server] 5849 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing GraalVM JavaScript Engine Extension - Provides the GraalVM JavaScript engine for ZAP scripting.
[zap_server] 6117 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Import/Export - Import and Export functionality supporting multiple formats.
[zap_server] 6118 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Import/Ex
2022-08-16 01:15:52,456 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:52,461 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:53,463 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:53,467 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:53,772 http://127.0.0.1:44172 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 26
2022-08-16 01:15:53,772 connected to ZAP with version D-2022-08-08
2022-08-16 01:15:53,773 handover_to_dast
2022-08-16 01:15:53,773 zap_started
2022-08-16 01:15:53,777 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:54,327 http://127.0.0.1:44172 "GET http://zap/JSON/core/action/newSession/?apikey=&name=dast HTTP/1.1" 200 15
2022-08-16 01:15:54,328 Import OpenAPI URL https://petstore.swagger.io/v2/swagger.json
2022-08-16 01:15:54,333 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,702 http://127.0.0.1:44172 "GET http://zap/JSON/openapi/action/importUrl/?url=https%3A%2F%2Fpetstore.swagger.io%2Fv2%2Fswagger.json&apikey=&hostOverride=petstore.swagger.io HTTP/1.1" 200 16
2022-08-16 01:15:58,710 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,716 http://127.0.0.1:44172 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 866
2022-08-16 01:15:58,717 Import warnings: []
2022-08-16 01:15:58,717 Number of imported URLs: 18
2022-08-16 01:15:58,717 Setting target to URL from API specification: https://petstore.swagger.io
2022-08-16 01:15:58,717 Setting target to new URL with host override: https://petstore.swagger.io
2022-08-16 01:15:58,717 Using scan target https://petstore.swagger.io
2022-08-16 01:15:58,722 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,737 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/scanners/ HTTP/1.1" 200 7372
2022-08-16 01:15:58,743 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,777 http://127.0.0.1:44172 "GET http://zap/JSON/ascan/view/scanners/?scanPolicyName=API-Minimal HTTP/1.1" 200 15102
2022-08-16 01:15:58,782 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,789 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/action/disableScanners/?ids=10015%2C10020%2C10026%2C10027%2C10044%2C10050%2C10052%2C10096%2C10109&apikey= HTTP/1.1" 200 15
2022-08-16 01:15:58,795 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,814 http://127.0.0.1:44172 "GET http://zap/JSON/ascan/action/disableScanners/?ids=10104%2C20017%2C20018%2C30001%2C30002%2C30003%2C40009%2C40023%2C40028%2C40029%2C40034%2C43%2C90024%2C90027&apikey=&scanPolicyName=API-Minimal HTTP/1.1" 200 15
2022-08-16 01:15:58,815 starting scan
2022-08-16 01:15:58,821 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,825 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21
2022-08-16 01:15:58,826 Records to passive scan: 4
2022-08-16 01:16:00,833 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:00,838 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21
2022-08-16 01:16:00,839 Passive scanning complete!
2022-08-16 01:16:00,844 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:00,965 http://127.0.0.1:44172 "GET http://zap/JSON/alert/view/alerts/ HTTP/1.1" 200 153265
2022-08-16 01:16:00,967 ZAP database query: SELECT historyid,method,reqheader,resheader,timesentmillis,uri FROM history where historyid IN (4,1,7,1,7,4,7,4,1,7,4,7,4,1,1,11,10,8,11,8,10,11,10,8,11,11,10,10,8,9,9,8,12,12,12,12,12,13,14,13,14,13,14,13,14,9,13,14,16,16,16,16,18,16,18,19,18,19,18,18,19,19,19,22,20,9,23,9,22,20,23,23,20,22,24,20,22,24,20,22,24,24,24,25,25,25,26,26,28,27,26,27,28,26,27,28,27,26,28,26)
2022-08-16 01:16:00,967 Checking JVM started
2022-08-16 01:16:00,967 Getting JVM path
2022-08-16 01:16:00,969 Starting JVM
2022-08-16 01:16:01,189 JVM has started
2022-08-16 01:16:01,189 connecting to ZAP database /app/zap/session/dast.session
2022-08-16 01:16:02,125 ZAP database query: SELECT historyid,method,reqheader,resheader,timesentmillis,uri FROM history where histtype IN (1,2,10,9,15)
2022-08-16 01:16:02,134 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:02,142 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/scanners/ HTTP/1.1" 200 7381
2022-08-16 01:16:02,155 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:02,160 http://127.0.0.1:44172 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 26
2022-08-16 01:16:02,165 The following 21 URLs were scanned:
DELETE https://petstore.swagger.io/v2/pet/10
DELETE https://petstore.swagger.io/v2/store/order/10
DELETE https://petstore.swagger.io/v2/user/username
GET https://petstore.swagger.io/v2/pet/10
GET https://petstore.swagger.io/v2/pet/findByStatus?status=available
GET https://petstore.swagger.io/v2/pet/findByTags?tags=tags
GET https://petstore.swagger.io/v2/store/inventory
GET https://petstore.swagger.io/v2/store/order/10
GET https://petstore.swagger.io/v2/swagger.json
GET https://petstore.swagger.io/v2/user/login?username=username&password=ZAP
GET https://petstore.swagger.io/v2/user/logout
GET https://petstore.swagger.io/v2/user/username
POST https://petstore.swagger.io/v2/pet
POST https://petstore.swagger.io/v2/pet/10
POST https://petstore.swagger.io/v2/pet/10/uploadImage
POST https://petstore.swagger.io/v2/store/order
POST https://petstore.swagger.io/v2/user
POST https://petstore.swagger.io/v2/user/createWithArray
POST https://petstore.swagger.io/v2/user/createWithList
PUT https://petstore.swagger.io/v2/pet
PUT https://petstore.swagger.io/v2/user/username
2022-08-16 01:16:02,170 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:02,175 http://127.0.0.1:44172 "GET http://zap/JSON/core/action/shutdown/?apikey= HTTP/1.1" 200 15
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
SKIP: Anti-clickjacking Header [10020]
PASS: Application Error Disclosure [90022]
SKIP: Re-examine Cache-control Directives [10015] x 16
	https://petstore.swagger.io/v2/pet/10/uploadImage (200)
	https://petstore.swagger.io/v2/swagger.json (200)
	https://petstore.swagger.io/v2/pet (200)
	https://petstore.swagger.io/v2/pet/10 (200)
	https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
PASS: Charset Mismatch [90011]
PASS: Content Security Policy (CSP) Header Not Set [10038]
PASS: CSP [10055]
PASS: Content-Type Header Missing [10019]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Loosely Scoped Cookie [90033]
PASS: Cookie without SameSite Attribute [10054]
PASS: Cookie Without Secure Flag [10011]
WARN: Cross-Domain Misconfiguration [10098] x 21
	https://petstore.swagger.io/v2/swagger.json (200)
	https://petstore.swagger.io/v2/pet (200)
	https://petstore.swagger.io/v2/pet/10/uploadImage (200)
	https://petstore.swagger.io/v2/pet/10 (200)
	https://petstore.swagger.io/v2/pet (200)
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Information Disclosure - Debug Error Messages [10023]
WARN: Information Disclosure - Sensitive Information in URL [10024] x 2
	https://petstore.swagger.io/v2/user/login?username=username&password=ZAP (200)
	https://petstore.swagger.io/v2/user/login?username=username&password=ZAP (200)
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
SKIP: Information Disclosure - Suspicious Comments [10027]
PASS: Weak Authentication Method [10105]
PASS: Insecure JSF ViewState [90001]
PASS: Secure Pages Include Mixed Content [10040]
SKIP: Timestamp Disclosure [10096]
PASS: Username Hash Found [10057]
PASS: Viewstate [10032]
PASS: X-AspNet-Version Response Header [10061]
WARN: X-Content-Type-Options Header Missing [10021] x 19
	https://petstore.swagger.io/v2/pet (200)
	https://petstore.swagger.io/v2/pet/10/uploadImage (200)
	https://petstore.swagger.io/v2/swagger.json (200)
	https://petstore.swagger.io/v2/pet/10 (200)
	https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
PASS: X-Debug-Token Information Leak [10056]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
SKIP: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Directory Browsing [10033]
PASS: Hash Disclosure [10097]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: Reverse Tabnabbing [10108]
SKIP: Modern Web Application [10109]
PASS: PII Disclosure [10062]
SKIP: Retrieved from Cache [10050]
WARN: HTTP Server Response Header [10036] x 21
	https://petstore.swagger.io/v2/pet (200)
	https://petstore.swagger.io/v2/pet/10/uploadImage (200)
	https://petstore.swagger.io/v2/swagger.json (200)
	https://petstore.swagger.io/v2/pet/10 (200)
	https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
SKIP: HTTP Parameter Override [10026]
WARN: Strict-Transport-Security Header [10035] x 21
	https://petstore.swagger.io/v2/pet (200)
	https://petstore.swagger.io/v2/pet/10/uploadImage (200)
	https://petstore.swagger.io/v2/swagger.json (200)
	https://petstore.swagger.io/v2/pet/10 (200)
	https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
PASS: User Controllable Charset [10030]
PASS: Cookie Poisoning [10029]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Open Redirect [10028]
PASS: X-Backend-Server Header Information Leak [10039]
SKIP: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Vulnerable JS Library [10003]
PASS: WSDL File Detection [90030]
SUMMARY - PASS: 39 | WARN: 6 | SKIP: 9
port Automation - Import/Export Automation Framework Integration
[zap_server] 6120 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionFormHandler - This extension allows a user to change the default values used by ZAP Spiders.
[zap_server] 6122 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReplacer - Easy way to replace strings in requests and responses
[zap_server] 6310 [ZAP-daemon] INFO  org.zaproxy.addon.oast.services.callback.CallbackService - Started callback service on 0.0.0.0:39663
[zap_server] 6312 [ZAP-daemon] INFO  org.zaproxy.addon.network.ExtensionNetwork - Creating new root CA certificate.
[zap_server] 7169 [ZAP-daemon] INFO  org.zaproxy.addon.network.ExtensionNetwork - New root CA certificate created.
[zap_server] 7191 [ZAP-daemon] INFO  org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
[zap_server] 7199 [ZAP-daemon] INFO  org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:44172
[zap_server] 7199 [ZAP-daemon] INFO  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled
[zap_server] 8227 [ZAP-IO-EventExecutor-3-1] INFO  org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
[zap_server] 8729 [ZAP-IO-EventExecutor-3-1] INFO  org.parosproxy.paros.control.Control - New session file created: /app/zap/session/dast.session
Uploading artifacts for successful job 00:02
Uploading artifacts...
gl-dast-report.json: found 1 matching files and directories 
Uploading artifacts as "dast" to coordinator... 201 Created  id=49 responseStatus=201 Created token=aTT7VY9r
Cleaning up project directory and file based variables 00:01
Job succeeded

What are the relevant issue numbers?

DAST and API Security both use DAST_API_OPENAPI environment variable

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

changed milestone to %15.3

added Category:DAST backend devopssecure groupdynamic analysis sectionsec typemaintenance labels

assigned to @philipcunningham

Suggested Reviewers (beta)

The individuals below may be good candidates to participate in the review based on various factors.

You can use slash commands in comments to quickly assign /assign_reviewer @user1.

Suggested Reviewers
@rymai, @sabrams, @abrandl, @tigerwnz, @grzesiek

If you do not believe these suggestions are useful, please apply the label Bad Suggested Reviewer. You can also provide feedback for this feature on this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/357923.

Automatically generated by Suggested Reviewers Bot - an experimental ML-based recommendation engine created by ~"group::applied ml".

	1 Warning
	Please add a merge request subtype to this merge request.

	1 Message
	CHANGELOG missing: If you want to create a changelog entry for GitLab FOSS, add the Changelog trailer to the commit message you want to add to the changelog. If you want to create a changelog entry for GitLab EE, also add the EE: true trailer to your commit message. If this merge request doesn't need a CHANGELOG entry, feel free to ignore this message.

Reviewer roulette

Changes that require review have been detected!

Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:

Category	Reviewer	Maintainer
backend	Tarun Vellishetty (@tvellishetty) (UTC+5.5)	Pavel Shutsin (@pshutsin) (UTC+2)

To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.

To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.

Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

added 1 commit

• 1a60d723 - Use DAST_API_SPECIFICATION not DAST_API_OPENAPI

Compare with previous version

changed title from Alias DAST_API_SPECIFICATION with DAST_API_OPENAPI to Use DAST_API_SPECIFICATION not DAST_API_OPENAPI

changed the description

Allure report

allure-report-publisher generated test report!

review-qa-blocking: test report for 1a60d723

expand test summary

+-----------------------------------------------------------------------------------------+
|                                     suites summary                                      |
+------------------------------------+--------+--------+---------+-------+-------+--------+
|                                    | passed | failed | skipped | flaky | total | result |
+------------------------------------+--------+--------+---------+-------+-------+--------+
| Verify                             | 12     | 0      | 1       | 12    | 13    | ❗     |
| Create                             | 28     | 0      | 1       | 28    | 29    | ❗     |
| Feature flag handler sanity checks | 9      | 0      | 0       | 9     | 9     | ❗     |
| Plan                               | 47     | 0      | 1       | 47    | 48    | ❗     |
| Manage                             | 34     | 0      | 2       | 36    | 36    | ❗     |
| Protect                            | 2      | 0      | 0       | 2     | 2     | ❗     |
| Secure                             | 2      | 0      | 0       | 2     | 2     | ❗     |
| Package                            | 0      | 0      | 1       | 0     | 1     | ➖     |
| Configure                          | 0      | 0      | 1       | 0     | 1     | ➖     |
| Version sanity check               | 0      | 0      | 1       | 0     | 1     | ➖     |
+------------------------------------+--------+--------+---------+-------+-------+--------+
| Total                              | 134    | 0      | 8       | 136   | 142   | ❗     |
+------------------------------------+--------+--------+---------+-------+-------+--------+

@philipcunningham - please see the following guidance and update this merge request.

	1 Warning
	Please add a subtype label to this merge request.

If you have added a type label and do not feel the purpose of this merge request matches one of the subtypes labels, please resolve this discussion.

changed the description

resolved all threads

@craigmsmith can you review this please?

requested review from @craigmsmith

@atiwari71 @derekferguson just wanted to give you a heads-up that when we want to use dast-api for on-demand, we'll need to make sure we send DAST_API_OPENAPI. we may want to handle this with a feature flag.

/cc @cam_swords

@philipcunningham Thanks for the heads-up. We are changing the analyzer for on-demand DAST API scans to API Security in %15.4.

@mc_rocha @djadmin Just FYI, in case you need to change anything before we turn on the feature flag for this in %15.4.

changed the description

approved this merge request

@craigmsmith, thanks for approving this merge request.

This is the first time the merge request is approved. To ensure full test coverage, a new pipeline has been started.

For more info, please refer to the following links:

• rspec minimal jobs
• jest minimal jobs
• merging a merge request.

requested review from @cablett

approved this merge request

resolved all threads

enabled an automatic merge when the pipeline for b8d0c1c7 succeeds

mentioned in merge request gitlab-org/security-products/dast!642 (merged)

merged

mentioned in commit a1dd0394

added workflowstaging-canary label

added workflowcanary label and removed workflowstaging-canary label

added workflowstaging label and removed workflowcanary label

added workflowproduction label and removed workflowstaging label

added workflowpost-deploy-db-staging label and removed workflowproduction label

added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label

added releasedcandidate label

added releasedpublished label and removed releasedcandidate label