Use DAST_API_SPECIFICATION not DAST_API_OPENAPI
-
Review changes -
-
Download -
Patches
-
Plain diff
Merged
Philip Cunningham requested to merge philipcunningham-send-both-api-variables-for-dast-on-demand-368970 into master
What does this MR do and why?
we discovered that DAST_API_OPENAPI causes an issue when running both dast and dast-api. this merge request replaces the use of DAST_API_OPENAPI with DAST_API_SPECIFICATION for on-demand dast scans, allowing us run both analyzers in the same pipeline. this is safe to merge now that this merge request has been released.
Manual QA
- open review app
- create a new project, initialising it with a README
- create a new on demand scan (security & compliance > on-demand scans) using https://petstore.swagger.io/v2/swagger.json
- save and run scan
Output
Running with gitlab-runner 15.1.0 (76984217)
on review-philipcunn-45wosp-gitlab-runner-5d6f476d46-c22zw sCwBsNcA
Resolving secrets 00:00
Preparing the "kubernetes" executor 00:00
Using Kubernetes namespace: review-philipcunn-45wosp
Using Kubernetes executor with image registry.gitlab.com/security-products/dast:3 ...
Using attach strategy to execute scripts...
Preparing environment
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotInitialized: "containers with incomplete status: [init-permissions]"
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod review-philipcunn-45wosp/runner-scwbsnca-project-195-concurrent-0bxg55 to be running, status is Pending
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-scwbsnca-project-195-concurrent-0bxg55 via review-philipcunn-45wosp-gitlab-runner-5d6f476d46-c22zw...
Getting source from Git repository 00:00
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:18
$ /analyze
2022-08-16 01:15:45,406 Running DAST v3.0.22 on Python 3.10.5 (main, Jun 8 2022, 09:26:22) [GCC 11.3.0]
2022-08-16 01:15:45,406 writing zap log configuration
2022-08-16 01:15:45,406 Starting the ZAP Server
2022-08-16 01:15:45,407 Running ZAP with parameters ['/zap/zap.sh', '-daemon', '-host', '0.0.0.0', '-port', '44172', '-dir', '/app/zap', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent']
2022-08-16 01:15:45,407 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:45,413 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:46,414 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:46,420 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:47,422 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:47,426 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:48,428 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:48,433 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:49,434 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:49,440 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:50,442 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:50,448 Starting new HTTP connection (1): 127.0.0.1:44172
[zap_server] Found Java version 11.0.16
[zap_server] Available memory: 64319 MB
[zap_server] Using JVM args: -Xmx16079m
[zap_server] 733 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /app/zap/config.xml
[zap_server] 939 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2022-08-08 started 16/08/2022, 01:15:46 with home /app/zap/
[zap_server] 965 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
[zap_server] 966 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
[zap_server] 966 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
[zap_server] 966 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null
[zap_server] 967 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null
[zap_server] 3677 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=13.0.0], [id=ascanrules, version=46.0.0], [id=ascanrulesBeta, version=41.0.0], [id=automation, version=0.16.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.4.0], [id=commonlib, version=1.9.0], [id=coreLang, version=16.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.2.0], [id=formhandler, version=5.0.0], [id=fuzz, version=13.6.0], [id=fuzzdb, version=8.0.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.9.0], [id=help, version=15.0.0], [id=hud, version=0.13.0], [id=invoke, version=11.0.0], [id=network, version=0.3.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=27.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=42.0.0], [id=pscanrulesBeta, version=29.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.15.0], [id=requester, version=7.0.0], [id=retest, version=0.2.0], [id=retire, version=0.12.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.9.0], [id=sequence, version=7.0.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=41.0.0], [id=webdrivermacos, version=44.0.0], [id=webdriverwindows, version=43.0.0], [id=websocket, version=26.0.0], [id=zest, version=35.0.0]]
[zap_server] 3678 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
[zap_server] 4490 [ZAP-daemon] INFO org.zaproxy.addon.network.internal.TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]
[zap_server] 4800 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
[zap_server] Aug 16, 2022 1:15:50 AM java.util.prefs.FileSystemPreferences$1 run
[zap_server] INFO: Created user preferences directory.
[zap_server] 5193 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Auto-update Extension - Allows ZAP to check for updates
[zap_server] 5195 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension - Options Extension
[zap_server] 5195 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension - Edit Menu Extension
[zap_server] 5195 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing API Extension - Provides a rest based API for controlling and accessing ZAP
[zap_server] 5201 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension - History Extension
[zap_server] 5203 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReveal - Show hidden fields and enable disabled fields
[zap_server] 5203 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search Extension - Search messages for strings and regular expressions
[zap_server] 5204 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Breakpoint Extension - Allows you to intercept and modify requests and responses
[zap_server] 5205 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Extension - Passive scanner
[zap_server] 5252 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
[zap_server] 5252 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
[zap_server] 5253 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
[zap_server] 5254 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
[zap_server] 5255 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
[zap_server] 5255 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
[zap_server] 5255 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
[zap_server] 5255 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
[zap_server] 5255 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
[zap_server] 5255 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
[zap_server] 5256 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
[zap_server] 5256 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
[zap_server] 5256 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
[zap_server] 5256 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
[zap_server] 5256 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
[zap_server] 5256 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
[zap_server] 5257 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
[zap_server] 5257 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
[zap_server] 5257 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
[zap_server] 5257 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
[zap_server] 5257 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
[zap_server] 5257 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
[zap_server] 5258 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
[zap_server] 5259 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
[zap_server] 5260 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan
- loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
[zap_server] 5260 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
[zap_server] 5260 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
[zap_server] 5278 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Alerts Extension - Allows you to view and manage alerts
[zap_server] 5280 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Extension - Active scanner, heavily based on the original Paros active scanner, but with additional tests added
[zap_server] 5285 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence - ExtensionSequence
[zap_server] 5286 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider Extension - Spider used for automatically finding URIs on a site
[zap_server] 5290 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Standard Menus Extension - A set of common popup menus for miscellaneous tasks
[zap_server] 5290 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionBruteForce - Forced browsing of files and directories using code from the OWASP DirBuster tool
[zap_server] 5291 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionPortScan - Simple but effective port scanner
[zap_server] 5292 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension - Manual Request Editor Extension
[zap_server] 5292 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compare Extension - Compares 2 sessions and generates an HTML file showing the differences
[zap_server] 5293 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionInvoke - Invoke external applications passing context related information such as URLs and parameters
[zap_server] 5293 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Anti-CSRF Extension - Handles anti cross site request forgery (CSRF) tokens
[zap_server] 5296 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension - Authentication Extension
[zap_server] 5311 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
[zap_server] 5313 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Log4j Extension - Logs errors to the Output tab in development mode only
[zap_server] 5314 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension - Users Extension
[zap_server] 5316 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Parameters Extension - Summarise and analyse FORM and URL parameters as well as cookies
[zap_server] 5318 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script Extension - Script integration
[zap_server] 5321 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionScripts - Scripting console, supports all JSR 223 scripting languages
[zap_server] 5457 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension - Forced User Extension
[zap_server] 5458 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Sessions Extension - Extension handling HTTP sessions
[zap_server] 5460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionZest - Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
[zap_server] 5624 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff - ExtensionDiff
[zap_server] 5624 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension - HTTP Panel Post Table View Extension
[zap_server] 5624 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encoder Addon - Adds support for scriptable encoders to ZAP.
[zap_server] 5625 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionPlugNHack - Simple browser configuration
[zap_server] 5625 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension - Session Management Extension
[zap_server] 5631 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
[zap_server] 5632 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension - HTTP Panel Form Table View Extension
[zap_server] 5632 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing WebSockets Support - Capture messages from WebSockets with the ability to set breakpoints.
[zap_server] 5654 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionImportWSDL - Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
[zap_server] 5655 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI Extension - Core UI related functionality.
[zap_server] 5655 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension - Authorization Extension
[zap_server] 5655 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Requester - Multi-tab manual request editor interface
[zap_server] 5656 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSpiderAjax - AJAX Spider, uses Crawljax
[zap_server] 5657 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing WebDriver Provider - Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
[zap_server] 5662 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAccessControl - Add-on that adds a set of tools for testing access control in web applications.
[zap_server] 5663 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Global Exclude URLs Extension - Handles adding Global Excluded URLs
[zap_server] 5663 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Refresh Sites Tree Extension - Adds menu item to refresh the Sites tree
[zap_server] 5663 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Help Extension - OWASP ZAP User Guide
[zap_server] 5663 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Call Home - Handles all of the calls to ZAP services
[zap_server] 5664 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Network Extension - Provides core networking capabilities.
[zap_server] 5685 [ZAP-daemon] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
[zap_server] 5685 [ZAP-daemon] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
[zap_server] 5686 [ZAP-daemon] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
[zap_server] 5687 [ZAP-daemon] INFO org.zaproxy.addon.network.ConnectionOptions - Unsafe SSL/TLS renegotiation disabled.
[zap_server] 5688 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension Configuration Extension - Allows you to configure which extensions are loaded when ZAP starts
[zap_server] 5688 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension - Combined HTTP Panels Extension
[zap_server] 5688 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension - HTTP Panel Hex View Extension
[zap_server] 5688 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension - HTTP Panel Image View Extension
[zap_server] 5689 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension - HTTP Panel Query Table View Extension
[zap_server] 5689 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension - HTTP Panel Syntax Highlighter View Extension
[zap_server] 5689 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Keyboard Configuration Extension - Adds support for configurable keyboard shortcuts for all of the ZAP menus.
[zap_server] 5689 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scanner Rule Configuration Extension - Active and passive rule configuration
[zap_server] 5692 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics Extension - Statistics
[zap_server] 5693 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
[zap_server] 5694 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Extension - Custom Pages Definition
[zap_server] 5694 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOnlineMenu - The Online menu links
[zap_server] 5694 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Advance Fuzzer - Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
[zap_server] 5695 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing org.zaproxy.zap.extension.fuzz.httpfuzzer.ExtensionHttpFuzzer - Allows to fuzz HTTP messages.
[zap_server] 5696 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripts Automation Framework Integration - Scripts Automation
[zap_server] 5705 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAlertFilters - Context alert rules filter
[zap_server] 5707 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Alert Filters Automation - Alert Filters Automation Framework Integration
[zap_server] 5710 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionGraphQl - Allows you to inspect and attack GraphQL endpoints.
[zap_server] 5714 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing GraphQL Automation - GraphQL Automation Framework Integration
[zap_server] 5715 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOast - ExtensionOast
[zap_server] 5720 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOastScripts - Adds OAST scripts.
[zap_server] 5721 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Automation Framework - Provides functionality to simplify using ZAP in an automated manner
[zap_server] 5722 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionTipsAndTricks - Tips and Tricks
[zap_server] 5722 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAscanRulesBeta - Beta status active scan rules
[zap_server] 5722 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Generator - Templated and themed report generation functionality
[zap_server] 5724 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Generat
2022-08-16 01:15:51,450 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:51,455 Starting new HTTP connection (1): 127.0.0.1:44172
ion Automation Integration - Report Generation Automation Integration
[zap_server] 5727 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start panel - Adds the Quick Start panel for scanning and exploring applications
[zap_server] 5728 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled
[zap_server] 5728 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start Ajax Spider integration - Add the option to use the Ajax Spider in the Quick Start scan
[zap_server] 5728 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start HUD integration - Launch browsers proxying through ZAP
[zap_server] 5728 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionQuickStartLaunch - Launch browsers proxying through ZAP
[zap_server] 5729 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - Release status passive scan rules
[zap_server] 5729 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDomXSS - DOM XSS Active Scan Rule
[zap_server] 5799 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing org.zaproxy.addon.commonlib.ExtensionCommonlib - org.zaproxy.addon.commonlib.ExtensionCommonlib
[zap_server] 5800 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage - ExtensionSaveRawHttpMessage
[zap_server] 5800 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionPscanRulesBeta - Passive Scan Rules - beta
[zap_server] 5801 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOpenApi - Allows you to spider and import OpenAPI (Swagger) definitions
[zap_server] 5803 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OpenAPI Automation - OpenAPI Automation Framework Integration
[zap_server] 5805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage - ExtensionSaveXMLHttpMessage
[zap_server] 5805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAscanRules - Active Scan Rules
[zap_server] 5806 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Ajax Spider Automation - Ajax Spider Automation Framework Integration
[zap_server] 5808 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionCoreLang - Translations of the core language files
[zap_server] 5808 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing WebSocket Fuzzer - Allows to fuzz WebSocket messages.
[zap_server] 5808 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionGettingStarted - The ZAP Getting Started Guide
[zap_server] 5809 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUD - Heads Up Display
[zap_server] 5844 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch - ExtensionHUDlaunch
[zap_server] 5845 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing SOAP Automation - SOAP Automation Framework Integration
[zap_server] 5848 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionRetest - The Retest add-on allows to verify the presence/absence of certain alerts.
[zap_server] 5849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing GraalVM JavaScript Engine Extension - Provides the GraalVM JavaScript engine for ZAP scripting.
[zap_server] 6117 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Import/Export - Import and Export functionality supporting multiple formats.
[zap_server] 6118 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Import/Ex
2022-08-16 01:15:52,456 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:52,461 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:53,463 looking for ZAP at http://127.0.0.1:44172...
2022-08-16 01:15:53,467 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:53,772 http://127.0.0.1:44172 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 26
2022-08-16 01:15:53,772 connected to ZAP with version D-2022-08-08
2022-08-16 01:15:53,773 handover_to_dast
2022-08-16 01:15:53,773 zap_started
2022-08-16 01:15:53,777 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:54,327 http://127.0.0.1:44172 "GET http://zap/JSON/core/action/newSession/?apikey=&name=dast HTTP/1.1" 200 15
2022-08-16 01:15:54,328 Import OpenAPI URL https://petstore.swagger.io/v2/swagger.json
2022-08-16 01:15:54,333 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,702 http://127.0.0.1:44172 "GET http://zap/JSON/openapi/action/importUrl/?url=https%3A%2F%2Fpetstore.swagger.io%2Fv2%2Fswagger.json&apikey=&hostOverride=petstore.swagger.io HTTP/1.1" 200 16
2022-08-16 01:15:58,710 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,716 http://127.0.0.1:44172 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 866
2022-08-16 01:15:58,717 Import warnings: []
2022-08-16 01:15:58,717 Number of imported URLs: 18
2022-08-16 01:15:58,717 Setting target to URL from API specification: https://petstore.swagger.io
2022-08-16 01:15:58,717 Setting target to new URL with host override: https://petstore.swagger.io
2022-08-16 01:15:58,717 Using scan target https://petstore.swagger.io
2022-08-16 01:15:58,722 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,737 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/scanners/ HTTP/1.1" 200 7372
2022-08-16 01:15:58,743 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,777 http://127.0.0.1:44172 "GET http://zap/JSON/ascan/view/scanners/?scanPolicyName=API-Minimal HTTP/1.1" 200 15102
2022-08-16 01:15:58,782 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,789 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/action/disableScanners/?ids=10015%2C10020%2C10026%2C10027%2C10044%2C10050%2C10052%2C10096%2C10109&apikey= HTTP/1.1" 200 15
2022-08-16 01:15:58,795 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,814 http://127.0.0.1:44172 "GET http://zap/JSON/ascan/action/disableScanners/?ids=10104%2C20017%2C20018%2C30001%2C30002%2C30003%2C40009%2C40023%2C40028%2C40029%2C40034%2C43%2C90024%2C90027&apikey=&scanPolicyName=API-Minimal HTTP/1.1" 200 15
2022-08-16 01:15:58,815 starting scan
2022-08-16 01:15:58,821 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:15:58,825 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21
2022-08-16 01:15:58,826 Records to passive scan: 4
2022-08-16 01:16:00,833 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:00,838 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21
2022-08-16 01:16:00,839 Passive scanning complete!
2022-08-16 01:16:00,844 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:00,965 http://127.0.0.1:44172 "GET http://zap/JSON/alert/view/alerts/ HTTP/1.1" 200 153265
2022-08-16 01:16:00,967 ZAP database query: SELECT historyid,method,reqheader,resheader,timesentmillis,uri FROM history where historyid IN (4,1,7,1,7,4,7,4,1,7,4,7,4,1,1,11,10,8,11,8,10,11,10,8,11,11,10,10,8,9,9,8,12,12,12,12,12,13,14,13,14,13,14,13,14,9,13,14,16,16,16,16,18,16,18,19,18,19,18,18,19,19,19,22,20,9,23,9,22,20,23,23,20,22,24,20,22,24,20,22,24,24,24,25,25,25,26,26,28,27,26,27,28,26,27,28,27,26,28,26)
2022-08-16 01:16:00,967 Checking JVM started
2022-08-16 01:16:00,967 Getting JVM path
2022-08-16 01:16:00,969 Starting JVM
2022-08-16 01:16:01,189 JVM has started
2022-08-16 01:16:01,189 connecting to ZAP database /app/zap/session/dast.session
2022-08-16 01:16:02,125 ZAP database query: SELECT historyid,method,reqheader,resheader,timesentmillis,uri FROM history where histtype IN (1,2,10,9,15)
2022-08-16 01:16:02,134 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:02,142 http://127.0.0.1:44172 "GET http://zap/JSON/pscan/view/scanners/ HTTP/1.1" 200 7381
2022-08-16 01:16:02,155 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:02,160 http://127.0.0.1:44172 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 26
2022-08-16 01:16:02,165 The following 21 URLs were scanned:
DELETE https://petstore.swagger.io/v2/pet/10
DELETE https://petstore.swagger.io/v2/store/order/10
DELETE https://petstore.swagger.io/v2/user/username
GET https://petstore.swagger.io/v2/pet/10
GET https://petstore.swagger.io/v2/pet/findByStatus?status=available
GET https://petstore.swagger.io/v2/pet/findByTags?tags=tags
GET https://petstore.swagger.io/v2/store/inventory
GET https://petstore.swagger.io/v2/store/order/10
GET https://petstore.swagger.io/v2/swagger.json
GET https://petstore.swagger.io/v2/user/login?username=username&password=ZAP
GET https://petstore.swagger.io/v2/user/logout
GET https://petstore.swagger.io/v2/user/username
POST https://petstore.swagger.io/v2/pet
POST https://petstore.swagger.io/v2/pet/10
POST https://petstore.swagger.io/v2/pet/10/uploadImage
POST https://petstore.swagger.io/v2/store/order
POST https://petstore.swagger.io/v2/user
POST https://petstore.swagger.io/v2/user/createWithArray
POST https://petstore.swagger.io/v2/user/createWithList
PUT https://petstore.swagger.io/v2/pet
PUT https://petstore.swagger.io/v2/user/username
2022-08-16 01:16:02,170 Starting new HTTP connection (1): 127.0.0.1:44172
2022-08-16 01:16:02,175 http://127.0.0.1:44172 "GET http://zap/JSON/core/action/shutdown/?apikey= HTTP/1.1" 200 15
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
SKIP: Anti-clickjacking Header [10020]
PASS: Application Error Disclosure [90022]
SKIP: Re-examine Cache-control Directives [10015] x 16
https://petstore.swagger.io/v2/pet/10/uploadImage (200)
https://petstore.swagger.io/v2/swagger.json (200)
https://petstore.swagger.io/v2/pet (200)
https://petstore.swagger.io/v2/pet/10 (200)
https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
PASS: Charset Mismatch [90011]
PASS: Content Security Policy (CSP) Header Not Set [10038]
PASS: CSP [10055]
PASS: Content-Type Header Missing [10019]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Loosely Scoped Cookie [90033]
PASS: Cookie without SameSite Attribute [10054]
PASS: Cookie Without Secure Flag [10011]
WARN: Cross-Domain Misconfiguration [10098] x 21
https://petstore.swagger.io/v2/swagger.json (200)
https://petstore.swagger.io/v2/pet (200)
https://petstore.swagger.io/v2/pet/10/uploadImage (200)
https://petstore.swagger.io/v2/pet/10 (200)
https://petstore.swagger.io/v2/pet (200)
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Information Disclosure - Debug Error Messages [10023]
WARN: Information Disclosure - Sensitive Information in URL [10024] x 2
https://petstore.swagger.io/v2/user/login?username=username&password=ZAP (200)
https://petstore.swagger.io/v2/user/login?username=username&password=ZAP (200)
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
SKIP: Information Disclosure - Suspicious Comments [10027]
PASS: Weak Authentication Method [10105]
PASS: Insecure JSF ViewState [90001]
PASS: Secure Pages Include Mixed Content [10040]
SKIP: Timestamp Disclosure [10096]
PASS: Username Hash Found [10057]
PASS: Viewstate [10032]
PASS: X-AspNet-Version Response Header [10061]
WARN: X-Content-Type-Options Header Missing [10021] x 19
https://petstore.swagger.io/v2/pet (200)
https://petstore.swagger.io/v2/pet/10/uploadImage (200)
https://petstore.swagger.io/v2/swagger.json (200)
https://petstore.swagger.io/v2/pet/10 (200)
https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
PASS: X-Debug-Token Information Leak [10056]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
SKIP: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Directory Browsing [10033]
PASS: Hash Disclosure [10097]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: Reverse Tabnabbing [10108]
SKIP: Modern Web Application [10109]
PASS: PII Disclosure [10062]
SKIP: Retrieved from Cache [10050]
WARN: HTTP Server Response Header [10036] x 21
https://petstore.swagger.io/v2/pet (200)
https://petstore.swagger.io/v2/pet/10/uploadImage (200)
https://petstore.swagger.io/v2/swagger.json (200)
https://petstore.swagger.io/v2/pet/10 (200)
https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
SKIP: HTTP Parameter Override [10026]
WARN: Strict-Transport-Security Header [10035] x 21
https://petstore.swagger.io/v2/pet (200)
https://petstore.swagger.io/v2/pet/10/uploadImage (200)
https://petstore.swagger.io/v2/swagger.json (200)
https://petstore.swagger.io/v2/pet/10 (200)
https://petstore.swagger.io/v2/pet/findByTags?tags=tags (200)
PASS: User Controllable Charset [10030]
PASS: Cookie Poisoning [10029]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Open Redirect [10028]
PASS: X-Backend-Server Header Information Leak [10039]
SKIP: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Vulnerable JS Library [10003]
PASS: WSDL File Detection [90030]
SUMMARY - PASS: 39 | WARN: 6 | SKIP: 9
port Automation - Import/Export Automation Framework Integration
[zap_server] 6120 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionFormHandler - This extension allows a user to change the default values used by ZAP Spiders.
[zap_server] 6122 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReplacer - Easy way to replace strings in requests and responses
[zap_server] 6310 [ZAP-daemon] INFO org.zaproxy.addon.oast.services.callback.CallbackService - Started callback service on 0.0.0.0:39663
[zap_server] 6312 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - Creating new root CA certificate.
[zap_server] 7169 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New root CA certificate created.
[zap_server] 7191 [ZAP-daemon] INFO org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
[zap_server] 7199 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:44172
[zap_server] 7199 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled
[zap_server] 8227 [ZAP-IO-EventExecutor-3-1] INFO org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
[zap_server] 8729 [ZAP-IO-EventExecutor-3-1] INFO org.parosproxy.paros.control.Control - New session file created: /app/zap/session/dast.session
Uploading artifacts for successful job 00:02
Uploading artifacts...
gl-dast-report.json: found 1 matching files and directories
Uploading artifacts as "dast" to coordinator... 201 Created id=49 responseStatus=201 Created token=aTT7VY9r
Cleaning up project directory and file based variables 00:01
Job succeededWhat are the relevant issue numbers?
DAST and API Security both use DAST_API_OPENAPI environment variable
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Philip Cunningham
Merge request reports
Activity
Filter activity
- Approvals
- Assignees & reviewers
- Comments (from bots)
- Comments (from users)
- Commits & branches
- Edits
- Labels
- Lock status
- Mentions
- Merge request status
- Tracking
Please register or sign in to reply
Status | Pipeline | Created by | Stages | |
|---|---|---|---|---|
Passed 01:13:12
|  | Stage: sync Stage: prepare Stage: build-images Stage: fixtures Stage: lint Stage: test Stage: post-test Stage: review Stage: qa Pipeline: GitLab |
Download artifacts
No artifacts found | |
Failed 02:31:16
| | Stage: sync Stage: prepare Stage: build-images Stage: fixtures Stage: lint Stage: test Stage: post-test Stage: review Stage: qa Pipeline: GitLab |
Download artifacts
No artifacts found | |
1 | ||||
Passed 01:13:50
|  | Stage: sync Stage: prepare Stage: build-images Stage: fixtures Stage: lint Stage: test Stage: post-test Stage: review Stage: qa Pipeline: GitLab |
Download artifacts
No artifacts found | |
Passed 01:06:52
|  | Stage: sync Stage: prepare Stage: build-images Stage: fixtures Stage: lint Stage: test Stage: post-test Stage: review Stage: qa Pipeline: GitLab |
Download artifacts
No artifacts found | |
Canceled 00:07:57
| | Stage: sync Stage: prepare Stage: build-images Stage: fixtures Stage: lint Stage: test Stage: post-test Stage: review Stage: qa Pipeline: GitLab |
Download artifacts
No artifacts found | |
Loading