microsoft / csedevops Goto Github PK

View Code? Open in Web Editor NEW

24.0 11.0 8.0 2.66 MB

Azure DevOps extensions from CSE DevOps team

License: MIT License

TypeScript 100.00%

extension ado azure-devops azure-devops-extensions azure-devops-extension azdo extensions devops

csedevops's Introduction

CSE DevOps Extensions

Available Extensions

Getting Help

Please see the guidance provided in the documentation for each perspective extension linked above as well as the Marketplace. Please submit issues with a descriptions of problems you encounter while using these extension.

csedevops's People

Contributors

Stargazers

Watchers

Forkers

anthturner bhaskers-blu-org2 taffywrinkle claudiusgonzo dimitryvlasenko werneroscar gbalamk

csedevops's Issues

Configurable Pipeline Runner: Unable to get System Access Token

Hi,
I'm trying to use this Azure Devops pipeline task, and when I use it, it throws the following error. I'm not sure why it is so, or what permissions or changes I need to make to allow it to use the SystemAccessToken ...?

2021-10-25T01:24:25.7176135Z ############### Starting task execution ###############
2021-10-25T01:24:25.7193855Z INFO: Setting AZURE_DEVOPS_EXT_PAT
2021-10-25T01:24:25.7222937Z ##[error]Unable to get System Access Token
2021-10-25T01:24:25.7254247Z Error: Unable to get System Access Token
2021-10-25T01:24:25.7254890Z at SdkPipelineRunner.setAccessToken (D:\a_tasks\RunPipelines_d64d9bd6-11d8-461d-8517-56f86cbd9ed6\2.4.2\services\sdkPipelineRunner.js:46:27)
2021-10-25T01:24:25.7271567Z at new SdkPipelineRunner (D:\a_tasks\RunPipelines_d64d9bd6-11d8-461d-8517-56f86cbd9ed6\2.4.2\services\sdkPipelineRunner.js:40:14)
2021-10-25T01:24:25.7272406Z at new RunPipelines (D:\a_tasks\RunPipelines_d64d9bd6-11d8-461d-8517-56f86cbd9ed6\2.4.2\index.js:20:31)
2021-10-25T01:24:25.7273066Z at main (D:\a_tasks\RunPipelines_d64d9bd6-11d8-461d-8517-56f86cbd9ed6\2.4.2\index.js:195:26)
2021-10-25T01:24:25.7273719Z at Object. (D:\a_tasks\RunPipelines_d64d9bd6-11d8-461d-8517-56f86cbd9ed6\2.4.2\index.js:199:5)
2021-10-25T01:24:25.7276531Z at Module._compile (internal/modules/cjs/loader.js:778:30)
2021-10-25T01:24:25.7277083Z at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
2021-10-25T01:24:25.7277501Z at Module.load (internal/modules/cjs/loader.js:653:32)
2021-10-25T01:24:25.7286497Z at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
2021-10-25T01:24:25.7290481Z at Function.Module._load (internal/modules/cjs/loader.js:585:3)

Reporting - Install Handlebars - Documentation step - invalid YAML

From here - https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner&ssr=false#overview

Reporting > Install Handlebars instructions

The YAML Bash step reports as "Invalid YAML Structure" in the Azure DevOps Pipeline Editor

Line 69 in this example

# ASP.NET Core (.NET Framework)
# Build and test ASP.NET Core projects targeting the full .NET Framework.
# Add steps that publish symbols, save build artifacts, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/dotnet-core

name: $(date:yyyyMMdd)$(rev:.r)-$(SourceBranchName)

trigger:
- owasp-zap

stages:
- stage: Scan_stage
  jobs:
    - job : OWASP_ZAP
      pool:
        vmImage: 'ubuntu-latest'
      steps:
      - task: DockerInstaller@0
        inputs:
          dockerVersion: '17.09.0-ce'
      - task: owaspzap@1
        inputs:
          aggressivemode: false
          scantype: 'targetedScan'
          url: 'https://mytest.site.net'
          port: '443'
          # remove for default 50 - pipeline will fail when 50 is reached
          threshold: '999999'
      - bash: |
        sudo npm install -g handlebars-cmd

        cat <<EOF > owaspzap/nunit-template.hbs
        {{#each site}}

        <test-run
            id="2"
            name="Owasp test"
            start-time="{{../[@generated]}}"  >
            <test-suite
                id="{{@index}}"
                type="Assembly"
                name="{{[@name]}}"
                result="Failed"
                failed="{{alerts.length}}">
                <attachments>
                    <attachment>
                        <filePath>owaspzap/report.html</filePath>
                    </attachment>
                </attachments>
            {{#each alerts}}<test-case
                id="{{@index}}"
                name="{{alert}}"
                result="Failed"
                fullname="{{alert}}"
                time="1">
                    <failure>
                        <message>
                            <![CDATA[{{{desc}}}]]>
                        </message>
                        <stack-trace>
                            <![CDATA[
        Solution:
        {{{solution}}}

        Reference:
        {{{reference}}}

        instances:{{#each instances}}
        * {{uri}}
            - {{method}}
            {{#if evidence}}- {{{evidence}}}{{/if}}
                            {{/each}}]]>
                        </stack-trace>
                    </failure>
            </test-case>
            {{/each}}
            </test-suite>
        </test-run>
        {{/each}}
        EOF
        displayName: 'owasp nunit template'
        condition: always()
      - bash: ' handlebars owaspzap/report.json < owaspzap/nunit-template.hbs > owaspzap/test-results.xml'
        displayName: 'generate nunit type file'
        condition: always()                            
      - task: PublishTestResults@2
        displayName: 'Publish Test Results **/TEST-*.xml'
        inputs:
          testResultsFormat: NUnit
          testResultsFiles: 'owaspzap/test-results.xml'
        condition: always()

DevOps Publish Test Results Task Fails

Hello,

Receiving the following error in the Publish Test Results task after successfully running both Bash scripts as found on your reporting documentation (https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner). Test results are not shown on the test tab even though the task is marked as having succeeded.:

2019-12-05T14:36:03.5747957Z ##[debug]OS type: Linux
2019-12-05T14:36:04.4503434Z ##[debug]Reading test results from file '/home/vsts/work/r1/a/owaspzap/test-results.xml'
2019-12-05T14:36:04.4569568Z ##[warning]Failed to read /home/vsts/work/r1/a/owaspzap/test-results.xml. Error : Data at the root level is invalid. Line 22, position 4..
2019-12-05T14:36:04.4591686Z ##[warning]Failed to publish test results: Object reference not set to an instance of an object.
2019-12-05T14:36:04.4717111Z ##[debug]Processed: ##vso[results.publish type=NUnit;mergeResults=false;publishRunAttachments=true;resultFiles=/home/vsts/work/r1/a/owaspzap/test-results.xml;failTaskOnFailedTests=false;testRunSystem=VSTS - PTR;]
2019-12-05T14:36:04.4718265Z ##[debug]task result: Succeeded
2019-12-05T14:36:04.4718634Z ##[debug]Processed: ##vso[task.complete result=Succeeded;]

As a possible alternative solution if handlebars is causing issues, perhaps outputting the test results file as an .xml and then using the template found on this azuredevblog might work?

https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/

Thanks for your time! Appreciate your work.

Configurable Pipeline Runner: Support passing parameters

It would be nice if the plugin could pass parameters instead of just queue time variables.

Nunit Multiple root elements

Following the example here, I have the scanner running successfully with a targeted scan on a azure deployed site, produces the report.html and report.json

- task: owaspzap@1 inputs: scantype: 'targetedScan' url: 'https://mytestsite.azurewebsites.net/' aggressivemode: true

I noticed in the scan report that it is showing a low level warning on the site at http even though I have the site to auto redirect to https

This then causes issues for me when trying to import the xml file from the handlebars template into Nunit as it now has two root elements, one for the site at http and another for https

In the script to generate the handlebars template it uses {{#each site}} which will iterate over the sites in report.json file, so if there are more than one the resulting Nunit xml file is invalid

How can I force the scanner to stop trying the site at http? I'm not even sure how it got to it in the first place as I'm auto redirected to https when I try the url that it is reporting in a browser

Or... since the script itself is liable to create an invalid nunit xml file, what are the proper modifications needed to create multiple xml files per site?

Reports are created as root user

The reports from this scan are created on the system as the root user.
This has some consequences for anyone running on custom agents, so please make it an options at least to not generate the reports under root.

How can I authenticate to the Application used this extension.

Please let me know how to authenticate the application used this extension.

Port number appended incorrectly

Hello, I am trying to test the ZAP Scanner Task in azure pipelines on WebGoat_Legacy6.0.

The Problem: the azure pipeline extension seems to append the port number to the end of the url, even when a path is provided to that url (example: http://localhost/WebGoat:8080)

To do this, I would like to have zap scan http://localhost:8080/WebGoat and any other paths associated with WebGoat.
I have tried the following:

using an UNtargeted scan
using a targeted scan with http://localhost for url and 8080 for port
using a targeted scan with http://localhost/WebGoat for url and 8080 for port
using a targeted scan with http://localhost:8080 for url and blank port
using a targeted scan with http://localhost:8080/WebGoat for url and blank port
I also tried to use a context file and I did see the other issue post about how to (theoretically) make it work by changing the parameter name in the yaml... however, I couldn't tell by looking at the logs whether or not the context file was actually being used. Additionally, even if it was being used, I'm not sure I set it up properly.

None of these work. 4 and 5 give errors that the port number is required.
3 gives an error that http://localhost/WebGoat:8080 cannot be reached (probably because the port number is at the end)
2 gives an error that http://localhost:8080 cannot be reached (because there isn't anything to find there)
1 just doesn't find WebGoat at all but doesn't produce connection errors (because I think it is successfully connecting to a web server I have running on port 80 that has nothing to do with WebGoat)

Here is an example of cannot connect errors I'm seeing: 2020-08-17T14:41:01.1314347Z ERROR ZAP failed to access: http://localhost/WebGoat:8080 (one of the last lines of the logs below)

The full log of the run that is from is attached here

Update to ZAP 2.11.1?

ZAP 2.11.1 has been released to remove the dependency on a vulnerable version of Log4j: https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/
Does this project need to be changed to pick up this new version?
I couldnt see anything relevant in this repo to update :/
FYI we do have this page for registering to hear about new ZAP releases : https://www.zaproxy.org/3rd-party-package-maintenance/ - let me know any relevant details if you want to be added, or just submit a PR...

Pipeline runner: "##[error]Could not queue the build because there were validation errors or warnings."

I am getting a generic error when running one of my pipelines:
"##[error]Could not queue the build because there were validation errors or warnings."

Running the build with diagnostics on is not giving any further details, is there a way to see what these "errors or warnings" are?

no such file or directory, open '/opt/vsts-agent-linux/_work/r1/a/owaspzap/report.json'

I have followed these instructions https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner to run the owasp scanner with a small difference in the setting: I use targeted scan instead of scan on agent and also port 443, because the release is being deployed to this port.

Anyway, I get the following error message, which tells me nothing:

2021-04-28T08:11:29.5182663Z ##[section]Starting: ZAP Scanner
2021-04-28T08:11:29.5416938Z ==============================================================================
2021-04-28T08:11:29.5417838Z Task         : OWASP Zap Scanner
2021-04-28T08:11:29.5418427Z Description  : Utilize the OWASP/ZAP scanner within Azure DevOps
2021-04-28T08:11:29.5418716Z Version      : 1.0.1
2021-04-28T08:11:29.5419214Z Author       : Doyle Turner, Anthony Turner
2021-04-28T08:11:29.5419906Z Help         : 
2021-04-28T08:11:29.5420167Z ==============================================================================
2021-04-28T08:11:30.2901940Z [command]/usr/bin/chmod 777 /opt/vsts-agent-linux/_work/r1/a/owaspzap
2021-04-28T08:11:30.2904783Z [command]/usr/bin/id -u root
2021-04-28T08:11:30.2904982Z 0
2021-04-28T08:11:30.2933668Z ##[error]ENOENT: no such file or directory, open '/opt/vsts-agent-linux/_work/r1/a/owaspzap/report.json'
2021-04-28T08:11:30.2995398Z ##[section]Finishing: ZAP Scanner

There are also several reviews on the marketplace with this problem. They are all unanswered:

https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner&ssr=false#review-details

Could not queue the build because there were validation errors or warnings

On this errors, there's no information on what are the validation errors or the warnings.
How can one find out what's going on when triggering a pipeline?

##[error]ENOENT: no such file or directory, open '/home/vsts/work/1/s/owaspzap/report.json'

Please any help !!

!

Support for Bicep

Hello,

I am looking for a proper Security Scanning Tool for my Azure DevOps organization, which uses mainly Bicep, PowerShell code, together with YAML files. I researched some tools, including OWASP ZAP Scanner, but I can't find any documentation about if it supports the previously mentioned technologies.

Does OWASP ZAP Scanner support these?

Failed to load context file - file does not exist in the docker container

Hi everyone,

I added the context file to the pipeline configuration. The file is being recognized from the docker run command otherwise it would throw an error. The docker run command creates a volume from the owasp folder path to the container. Somehow it seems like the file it's not being copied from /home/vsts/work/1/s/owaspzap/context-file.context to the container. After the docker image is pulled and the container starts, I get the error message that the context file wasn't found.

/usr/bin/chmod 777 /home/vsts/work/1/s/owaspzap
/usr/bin/id -u root
0
/usr/bin/docker run -u 0 -v /home/vsts/work/1/s/owaspzap:/zap/wrk/:rw owasp/zap2docker-stable zap-baseline.py -t [https://****:443](https://****/) -J report.json -r report.html -n /home/vsts/work/1/s/owaspzap/context-file.context
...

owasp zap docker image is pulled

...
df35e5174ca6: Pull complete
Digest: sha256:215795fee30319d4d46007e1d9bb0999d9bafdfa423bcfb690de3d40e642f302
Status: Downloaded newer image for owasp/zap2docker-stable:latest
2023-01-10 17:10:54,380 Failed to load context file /home/vsts/work/1/s/owaspzap/context-file.context : does_not_exist
Total of 815 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
...

azure-pipelines-yml config:

        - task: owaspzap@1
          inputs:
            threshold: '50'
            scantype: 'targetedScan'
            url: 'https://****'
            providedCustomContext: true
            contextPath: '$(Build.SourcesDirectory)/owaspzap/context-file.context'
            port: '443'

Was someone able to use the context file succefully?

Cannot obtain build Ids inside Powershell Task

I set the option Store the triggered build id's in a variable.
However in a subsequent powershell task I'm not able to obtain the value of the variable in any way.

If I list the variables using:

Get-ChildItem Env:

No variable like the expected documented ones appear in the list.

How can I obtain the launched build Ids inside a subsequent powershell task?

Unable to use custom context file for OWASP Zap Scanner

I am unable to use a custom context file for the OWASP Zap Scanner. I've been able to successfully run the scan, but was hoping to use a custom context for authentication. I created the context file locally and have tried using the file checked into a repo or downloaded using the Download secure file task and none of these methods pulls in and uses the context file.

Here is the YAML from the OWASP Zap Scanner task:

steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
  displayName: 'ZAP Scanner'
  inputs:
    threshold: 1000
    scantype: targetedScan
    url: 'https://my.publicsite.com/dev/'
    provideCustomContext: true
    contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
    port: 443

Not sure if I am using the custom context file incorrectly or there is some setting I need to turn on to have it be pulled in, but let me know if you need anything else from me.

Unable to locate executable file: 'chmod'

Hi, I am getting this error when used OWASP Zap Scanner extension in my Azure DevOps Release pipeline. The target deployment node is a windows server. I have installed GIT for windows and added the path to PATH variable. But still getting below error.

[error]Unable to locate executable file: 'chmod'. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.

Please can you suggest which path it is looking for the CHMOD file?

Below is the config.

Add custom script (Httpsender and Authentication)

How to use this Task with adding custom scripts inside from the Repository like

Enable the scripts in one of two ways (I don't have a preference):
A different input filed to find the directory("buildagent/myrepo/myscript.js")
Or Attached a file config file like the context

Thanks a lot

Context file documentation

Is there any documentation of the context file format (structure, keys, ...)? I would like to use it for authentication and to do some more specific testing, but haven't found any information about it.

DevOps Publish Test Results Task only publishes ZAP failures

Hi,

The plugin is great, really useful to automate the use of the ZAP scan. The only issue I'm having is with the reporting.

I've eventually got the reporting to NUnit format working by using the bash scripts you have provided.

However the test results published don't seem to match up with the ZAP Scan.

The log of the ZAP scan task showing 114 passing tests, and one warning on a full scan.

But the test results are only showing 2 failed tests and 0 passed (which gives a pass rate of 0% which is obviously not right).

Could you help me with this? Is it a case of changing the handlebar formatting somehow?

##[error] Could not queue the build because there were validation errors or warnings

before 10/24 , trigger fine

trigger failed now, What happened?

Pipeline Runner default branch

It appears that default branch for the extension was not moved to main from master

Scenario to reproduce:

if 'main' branch explicitly it gives a generic exception ##[error]Could not queue the build because there were validation errors or warnings.

To fix (workaround)
setBranch: true
Branch: main

in yaml definitions

Suggestion:
Change default branch to main

DevOps scan doesn't seem to be working

I have added this extension to the Release pipeline
https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner

Followed the instructions here to add bash task
https://github.com/microsoft/CSEDevOps/tree/master/Zap

The job completes successfully.

For example, there is X-Powered-By in the respond headers of the web application. But the scan shows as PASS.
Am I misinterpreting the logs?
Also there is no results file created.

Unable to scan an App Service from Azure

I am trying to deploy a new App Service from code, and then run a scan over that specific website, such as "https://$(appServiceName).azurewebsites.net".

For some reason I still don't understand, the scan completes, but the report generation fails to create a valid results file, so when the task for publishing comes, I get "No Result Found to Publish '/home/vsts/work/1/s/owaspzap/test-results.xml'."

The code used is the same as the marketplace page defines for the tool.

Here you can see the output of the generation. A strange thing is that the name seems to be trimmed out at the beginning, there is no "https:".

Any help here?

[error]ENOENT: no such file or directory, open '/home/vsts/work/r1/a/owaspzap/report.json'

I was trying the use ZAP from Azure market place and getting bumped into the error.

2020-08-25T11:01:58.5517255Z ##[section]Starting: ZAP Scanner
2020-08-25T11:01:58.5524757Z ==============================================================================
2020-08-25T11:01:58.5525072Z Task         : OWASP Zap Scanner
2020-08-25T11:01:58.5525359Z Description  : Utilize the OWASP/ZAP scanner within Azure DevOps
2020-08-25T11:01:58.5525600Z Version      : 1.0.1
2020-08-25T11:01:58.5525835Z Author       : Doyle Turner, Anthony Turner
2020-08-25T11:01:58.5527199Z Help         : 
2020-08-25T11:01:58.5527468Z ==============================================================================
2020-08-25T11:01:59.6175709Z [command]/bin/chmod 777 /home/vsts/work/r1/a/owaspzap
2020-08-25T11:01:59.6179364Z [command]/usr/bin/id -u root
2020-08-25T11:01:59.6179601Z 0
2020-08-25T11:01:59.6186436Z [command]/usr/bin/docker run -u 0 -v /home/vsts/work/r1/a/owaspzap:/zap/wrk/:rw owasp/zap2docker-stable zap-full-scan.py -t http://172.17.0.1:8080 -J report.json -r report.html
2020-08-25T11:01:59.6188722Z Unable to find image 'owasp/zap2docker-stable:latest' locally
2020-08-25T11:01:59.6189567Z latest: Pulling from owasp/zap2docker-stable
2020-08-25T11:01:59.6189897Z 423ae2b273f4: Pulling fs layer
2020-08-25T11:01:59.6190207Z de83a2304fa1: Pulling fs layer
2020-08-25T11:01:59.6190549Z f9a83bce3af0: Pulling fs layer
2020-08-25T11:01:59.6190851Z b6b53be908de: Pulling fs layer
2020-08-25T11:01:59.6191140Z dfa4c0ed9f01: Pulling fs layer
2020-08-25T11:01:59.6191423Z 0d0271dc7f26: Pulling fs layer
2020-08-25T11:01:59.6191731Z ba10134fb40f: Pulling fs layer
2020-08-25T11:01:59.6192017Z a5566afd045d: Pulling fs layer
2020-08-25T11:01:59.6192324Z 7b60e2849bd0: Pulling fs layer
2020-08-25T11:01:59.6192609Z daf051f52216: Pulling fs layer
2020-08-25T11:01:59.6192912Z 3600cd933995: Pulling fs layer
2020-08-25T11:01:59.6193194Z a1d63c5e9c9f: Pulling fs layer
2020-08-25T11:01:59.6193497Z 86279da9d5e1: Pulling fs layer
2020-08-25T11:01:59.6193782Z 61d20517a689: Pulling fs layer
2020-08-25T11:01:59.6194085Z b645cc4494b6: Pulling fs layer
2020-08-25T11:01:59.6194383Z 87a41273fa00: Pulling fs layer
2020-08-25T11:01:59.6194673Z dcd8983ba399: Pulling fs layer
2020-08-25T11:01:59.6194978Z 424fa8727c16: Pulling fs layer
2020-08-25T11:01:59.6195245Z b6b53be908de: Waiting
2020-08-25T11:01:59.6195518Z dfa4c0ed9f01: Waiting
2020-08-25T11:01:59.6195766Z 0d0271dc7f26: Waiting
2020-08-25T11:01:59.6196037Z ba10134fb40f: Waiting
2020-08-25T11:01:59.6196284Z a5566afd045d: Waiting
2020-08-25T11:01:59.6196554Z 7b60e2849bd0: Waiting
2020-08-25T11:01:59.6196803Z daf051f52216: Waiting
2020-08-25T11:01:59.6197054Z 3600cd933995: Waiting
2020-08-25T11:01:59.6197322Z a1d63c5e9c9f: Waiting
2020-08-25T11:01:59.6197570Z 86279da9d5e1: Waiting
2020-08-25T11:01:59.6197840Z 61d20517a689: Waiting
2020-08-25T11:01:59.6198087Z b645cc4494b6: Waiting
2020-08-25T11:01:59.6198355Z 87a41273fa00: Waiting
2020-08-25T11:01:59.6198602Z dcd8983ba399: Waiting
2020-08-25T11:01:59.6198867Z 424fa8727c16: Waiting
2020-08-25T11:01:59.6199137Z de83a2304fa1: Verifying Checksum
2020-08-25T11:01:59.6199453Z de83a2304fa1: Download complete
2020-08-25T11:01:59.6199747Z f9a83bce3af0: Verifying Checksum
2020-08-25T11:01:59.6200037Z f9a83bce3af0: Download complete
2020-08-25T11:01:59.7288525Z b6b53be908de: Verifying Checksum
2020-08-25T11:01:59.7288834Z b6b53be908de: Download complete
2020-08-25T11:01:59.7581522Z 423ae2b273f4: Verifying Checksum
2020-08-25T11:01:59.7581799Z 423ae2b273f4: Download complete
2020-08-25T11:02:00.0200883Z 0d0271dc7f26: Verifying Checksum
2020-08-25T11:02:00.0204393Z 0d0271dc7f26: Download complete
2020-08-25T11:02:00.1626355Z ba10134fb40f: Verifying Checksum
2020-08-25T11:02:00.1628067Z ba10134fb40f: Download complete
2020-08-25T11:02:00.2440710Z a5566afd045d: Verifying Checksum
2020-08-25T11:02:00.2441076Z a5566afd045d: Download complete
2020-08-25T11:02:00.3826980Z 7b60e2849bd0: Verifying Checksum
2020-08-25T11:02:00.3827326Z 7b60e2849bd0: Download complete
2020-08-25T11:02:00.4699181Z daf051f52216: Verifying Checksum
2020-08-25T11:02:00.4702720Z daf051f52216: Download complete
2020-08-25T11:02:00.6056936Z 3600cd933995: Verifying Checksum
2020-08-25T11:02:00.6062062Z 3600cd933995: Download complete
2020-08-25T11:02:00.8704360Z 86279da9d5e1: Verifying Checksum
2020-08-25T11:02:00.8704723Z 86279da9d5e1: Download complete
2020-08-25T11:02:01.1910799Z 61d20517a689: Verifying Checksum
2020-08-25T11:02:01.1911127Z 61d20517a689: Download complete
2020-08-25T11:02:01.4637803Z b645cc4494b6: Verifying Checksum
2020-08-25T11:02:01.4638135Z b645cc4494b6: Download complete
2020-08-25T11:02:01.7456138Z 87a41273fa00: Verifying Checksum
2020-08-25T11:02:01.7457476Z 87a41273fa00: Download complete
2020-08-25T11:02:02.0527074Z dcd8983ba399: Verifying Checksum
2020-08-25T11:02:02.0532117Z dcd8983ba399: Download complete
2020-08-25T11:02:02.2482686Z 423ae2b273f4: Pull complete
2020-08-25T11:02:02.4169287Z 424fa8727c16: Verifying Checksum
2020-08-25T11:02:02.4185358Z 424fa8727c16: Download complete
2020-08-25T11:02:02.4395320Z de83a2304fa1: Pull complete
2020-08-25T11:02:02.5519363Z f9a83bce3af0: Pull complete
2020-08-25T11:02:02.5798981Z a1d63c5e9c9f: Verifying Checksum
2020-08-25T11:02:02.5799351Z a1d63c5e9c9f: Download complete
2020-08-25T11:02:02.6307706Z b6b53be908de: Pull complete
2020-08-25T11:02:03.3476808Z dfa4c0ed9f01: Verifying Checksum
2020-08-25T11:02:03.3477202Z dfa4c0ed9f01: Download complete
2020-08-25T11:02:17.9988589Z dfa4c0ed9f01: Pull complete
2020-08-25T11:02:22.1217171Z 0d0271dc7f26: Pull complete
2020-08-25T11:02:24.4090781Z ba10134fb40f: Pull complete
2020-08-25T11:02:24.4830155Z a5566afd045d: Pull complete
2020-08-25T11:02:24.5479546Z 7b60e2849bd0: Pull complete
2020-08-25T11:02:24.6054036Z daf051f52216: Pull complete
2020-08-25T11:02:24.6678709Z 3600cd933995: Pull complete
2020-08-25T11:02:26.3878224Z a1d63c5e9c9f: Pull complete
2020-08-25T11:02:26.4629663Z 86279da9d5e1: Pull complete
2020-08-25T11:02:26.5239973Z 61d20517a689: Pull complete
2020-08-25T11:02:26.5869040Z b645cc4494b6: Pull complete
2020-08-25T11:02:26.6511473Z 87a41273fa00: Pull complete
2020-08-25T11:02:26.7287229Z dcd8983ba399: Pull complete
2020-08-25T11:02:26.8518725Z 424fa8727c16: Pull complete
2020-08-25T11:02:26.8555012Z Digest: sha256:3563ecc53448ad224262ccea185cff8360c999c52d9c4b78630d9344dc1c3fd6
2020-08-25T11:02:26.8574934Z Status: Downloaded newer image for owasp/zap2docker-stable:latest
2020-08-25T11:02:32.0896132Z 2020-08-25 11:02:32,087 Params: ['zap-x.sh', '-daemon', '-port', '55382', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=0', '-addonupdate', '-addoninstall', 'pscanrulesBeta', '-addoninstall', 'ascanrulesBeta']
2020-08-25T11:02:34.6787780Z Aug 25, 2020 11:02:34 AM java.util.prefs.FileSystemPreferences$1 run
2020-08-25T11:02:34.6788472Z INFO: Created user preferences directory.
2020-08-25T11:02:42.2030923Z 2020-08-25 11:02:42,201 I/O error(5): ZAP failed to access: http://172.17.0.1:8080
2020-08-25T11:02:42.2031545Z Traceback (most recent call last):
2020-08-25T11:02:42.2032216Z   File "/zap/zap-full-scan.py", line 319, in main
2020-08-25T11:02:42.2032552Z     zap_access_target(zap, target)
2020-08-25T11:02:42.2032871Z   File "/zap/zap_common.py", line 84, in _wrap
2020-08-25T11:02:42.2080118Z     return_data = func(*args_list, **kwargs)
2020-08-25T11:02:42.2081059Z   File "/zap/zap_common.py", line 365, in zap_access_target
2020-08-25T11:02:42.2082304Z     raise IOError(errno.EIO, 'ZAP failed to access: {0}'.format(target))
2020-08-25T11:02:42.2083087Z IOError: [Errno 5] ZAP failed to access: http://172.17.0.1:8080
2020-08-25T11:02:42.2083829Z Found Java version 1.8.0_242
2020-08-25T11:02:42.2084411Z Available memory: 6927 MB
2020-08-25T11:02:42.2085278Z Using JVM args: -Xmx1731m
2020-08-25T11:02:42.2086445Z 194 [main] INFO org.zaproxy.zap.DaemonBootstrap  - OWASP ZAP 2.9.0 started 25/08/20 11:02:32 with home /root/.ZAP/
2020-08-25T11:02:42.2090093Z 227 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.disablekey = true was null
2020-08-25T11:02:42.2091346Z 228 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.addrs.addr.name = .* was null
2020-08-25T11:02:42.2104910Z 228 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.addrs.addr.regex = true was null
2020-08-25T11:02:42.2106191Z 228 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config spider.maxDuration = 0 was null
2020-08-25T11:02:42.2107291Z 234 [main] INFO org.parosproxy.paros.network.SSLConnector  - Reading supported SSL/TLS protocols...
2020-08-25T11:02:42.2108279Z 234 [main] INFO org.parosproxy.paros.network.SSLConnector  - Using a SSLEngine...
2020-08-25T11:02:42.2109498Z 332 [main] INFO org.parosproxy.paros.network.SSLConnector  - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
2020-08-25T11:02:42.2110690Z 341 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate  - Unsafe SSL renegotiation disabled.
2020-08-25T11:02:42.2111725Z 718 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache open start
2020-08-25T11:02:42.2113031Z 724 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache open end
2020-08-25T11:02:42.2114025Z 772 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Loading extensions
2020-08-25T11:02:42.2117522Z 1857 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Installed add-ons: [[id=alertFilters, version=10.0.0], [id=ascanrules, version=34.0.0], [id=bruteforce, version=9.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=fuzz, version=12.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.9.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=15.0.0], [id=pscanrules, version=26.0.0], [id=quickstart, version=27.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.1.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=16.0.0], [id=websocket, version=21.0.0], [id=zest, version=31.0.0]]
2020-08-25T11:02:42.2131117Z 2085 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Extensions loaded
2020-08-25T11:02:42.2132053Z 2181 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows ZAP to check for updates
2020-08-25T11:02:42.2132899Z 2183 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Options Extension
2020-08-25T11:02:42.2133731Z 2183 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Edit Menu Extension
2020-08-25T11:02:42.2134676Z 2183 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides a rest based API for controlling and accessing ZAP
2020-08-25T11:02:42.2135571Z 2189 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Session State Extension
2020-08-25T11:02:42.2136415Z 2190 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Report Extension
2020-08-25T11:02:42.2137228Z 2190 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing History Extension
2020-08-25T11:02:42.2138128Z 2191 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Show hidden fields and enable disabled fields
2020-08-25T11:02:42.2139087Z 2191 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Search messages for strings and regular expressions
2020-08-25T11:02:42.2139979Z 2193 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Encode/Decode/Hash...
2020-08-25T11:02:42.2140924Z 2193 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to intercept and modify requests and responses
2020-08-25T11:02:42.2141807Z 2194 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive scanner
2020-08-25T11:02:42.2142756Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Script Passive Scan Rules
2020-08-25T11:02:42.2144169Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Stats Passive Scan Rule
2020-08-25T11:02:42.2145225Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Application Error Disclosure
2020-08-25T11:02:42.2146305Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Absence of Anti-CSRF Tokens
2020-08-25T11:02:42.2147445Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
2020-08-25T11:02:42.2148554Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Charset Mismatch
2020-08-25T11:02:42.2149757Z 2266 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: CSP Scanner
2020-08-25T11:02:42.2150811Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Content-Type Header Missing
2020-08-25T11:02:42.2151868Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie No HttpOnly Flag
2020-08-25T11:02:42.2152898Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Loosely Scoped Cookie
2020-08-25T11:02:42.2153974Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without SameSite Attribute
2020-08-25T11:02:42.2155031Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without Secure Flag
2020-08-25T11:02:42.2156109Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain Misconfiguration
2020-08-25T11:02:42.2157235Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
2020-08-25T11:02:42.2158376Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Web Browser XSS Protection Not Enabled
2020-08-25T11:02:42.2159496Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Debug Error Messages
2020-08-25T11:02:42.2160781Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
2020-08-25T11:02:42.2162022Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
2020-08-25T11:02:42.2163229Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Suspicious Comments
2020-08-25T11:02:42.2164327Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Weak Authentication Method
2020-08-25T11:02:42.2165386Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Insecure JSF ViewState
2020-08-25T11:02:42.2166464Z 2267 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Secure Pages Include Mixed Content
2020-08-25T11:02:42.2167512Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Private IP Disclosure
2020-08-25T11:02:42.2168559Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Session ID in URL Rewrite
2020-08-25T11:02:42.2197554Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Timestamp Disclosure
2020-08-25T11:02:42.2199012Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Username Hash Found
2020-08-25T11:02:42.2200050Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Viewstate Scanner
2020-08-25T11:02:42.2201302Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-AspNet-Version Response Header Scanner
2020-08-25T11:02:42.2202440Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Content-Type-Options Header Missing
2020-08-25T11:02:42.2203523Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Debug-Token Information Leak
2020-08-25T11:02:42.2204607Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Frame-Options Header Scanner
2020-08-25T11:02:42.2206029Z 2268 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
2020-08-25T11:02:42.2207102Z 2308 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to view and manage alerts
2020-08-25T11:02:42.2208178Z 2310 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
2020-08-25T11:02:42.2209516Z 2335 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Spider used for automatically finding URIs on a site
2020-08-25T11:02:42.2210546Z 2343 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing A set of common popup menus for miscellaneous tasks
2020-08-25T11:02:42.2211623Z 2344 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
2020-08-25T11:02:42.2212594Z 2344 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Manual Request Editor Extension
2020-08-25T11:02:42.2213597Z 2344 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Compares 2 sessions and generates an HTML file showing the differences
2020-08-25T11:02:42.2214702Z 2344 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Invoke external applications passing context related information such as URLs and parameters
2020-08-25T11:02:42.2215761Z 2345 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Handles anti cross site request forgery (CSRF) tokens
2020-08-25T11:02:42.2216658Z 2354 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Authentication Extension
2020-08-25T11:02:42.2218002Z 2365 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication  - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
2020-08-25T11:02:42.2219520Z 2367 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
2020-08-25T11:02:42.2220810Z 2367 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Logs errors to the Output tab in development mode only
2020-08-25T11:02:42.2221698Z 2367 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Users Extension
2020-08-25T11:02:42.2222647Z 2369 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Summarise and analyse FORM and URL parameters as well as cookies
2020-08-25T11:02:42.2223534Z 2369 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Script integration
2020-08-25T11:02:42.2224734Z 2386 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Scripting console, supports all JSR 223 scripting languages
2020-08-25T11:02:42.2225627Z 2496 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Forced User Extension
2020-08-25T11:02:42.2226488Z 2496 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Extension handling HTTP sessions
2020-08-25T11:02:42.2227568Z 2498 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools
2020-08-25T11:02:42.2228527Z 2628 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionDiff
2020-08-25T11:02:42.2229366Z 2628 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Post Table View Extension
2020-08-25T11:02:42.2230430Z 2628 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Session Management Extension
2020-08-25T11:02:42.2231728Z 2632 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement  - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
2020-08-25T11:02:42.2232913Z 2633 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Form Table View Extension
2020-08-25T11:02:42.2233914Z 2633 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Capture messages from WebSockets with the ability to set breakpoints.
2020-08-25T11:02:42.2235043Z 2640 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
2020-08-25T11:02:42.2236044Z 2641 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Core UI related functionality.
2020-08-25T11:02:42.2236891Z 2641 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Authorization Extension
2020-08-25T11:02:42.2237742Z 2641 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing AJAX Spider, uses Crawljax
2020-08-25T11:02:42.2238771Z 2642 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
2020-08-25T11:02:42.2239779Z 2647 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Manages the local proxy configurations
2020-08-25T11:02:42.2240656Z 2647 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Handles adding Global Excluded URLs
2020-08-25T11:02:42.2241568Z 2647 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds menu item to refresh the Sites tree
2020-08-25T11:02:42.2242424Z 2647 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing OWASP ZAP User Guide
2020-08-25T11:02:42.2243364Z 2647 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides a URL suitable for calling from target sites
2020-08-25T11:02:42.2244363Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to configure which extensions are loaded when ZAP starts
2020-08-25T11:02:42.2245303Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Combined HTTP Panels Extension
2020-08-25T11:02:42.2246170Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Hex View Extension
2020-08-25T11:02:42.2247024Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Image View Extension
2020-08-25T11:02:42.2247918Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Large Request View Extension
2020-08-25T11:02:42.2261251Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Large Response View Extension
2020-08-25T11:02:42.2262579Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Query Table View Extension
2020-08-25T11:02:42.2263532Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Syntax Highlighter View Extension
2020-08-25T11:02:42.2264577Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
2020-08-25T11:02:42.2265536Z 2649 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active and passive rule configuration
2020-08-25T11:02:42.2266369Z 2651 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Statistics
2020-08-25T11:02:42.2267438Z 2652 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats  - Start recording in memory stats
2020-08-25T11:02:42.2268300Z 2653 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive Scan Rules
2020-08-25T11:02:42.2269127Z 2653 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Context alert rules filter
2020-08-25T11:02:42.2269999Z 2654 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing The ZAP Getting Started Guide
2020-08-25T11:02:42.2270815Z 2654 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Heads Up Display
2020-08-25T11:02:42.2271635Z 2689 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionHUDlaunch
2020-08-25T11:02:42.2272458Z 2690 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSaveRawHttpMessage
2020-08-25T11:02:42.2273398Z 2690 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Easy way to replace strings in requests and responses
2020-08-25T11:02:42.2274568Z 2694 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
2020-08-25T11:02:42.2275610Z 2695 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows to fuzz HTTP messages.
2020-08-25T11:02:42.2276456Z 2695 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active Scan Rules
2020-08-25T11:02:42.2277409Z 2695 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds the Quick Start panel for scanning and exploring applications
2020-08-25T11:02:42.2278448Z 2699 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Add the option to use the Ajax Spider in the Quick Start scan
2020-08-25T11:02:42.2279383Z 2700 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Launch browsers proxying through ZAP
2020-08-25T11:02:42.2280304Z 2700 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Launch browsers proxying through ZAP
2020-08-25T11:02:42.2281141Z 2700 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing The Online menu links
2020-08-25T11:02:42.2282090Z 2700 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 
2020-08-25T11:02:42.2282994Z 2712 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSaveXMLHttpMessage
2020-08-25T11:02:42.2283821Z 2713 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Tips and Tricks
2020-08-25T11:02:42.2284661Z 2713 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows to fuzz WebSocket messages.
2020-08-25T11:02:42.2285633Z 2917 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback  - Started callback server on 0.0.0.0:34273
2020-08-25T11:02:42.2286733Z 2917 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL  - Creating new root CA certificate
2020-08-25T11:02:42.2287576Z 3289 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL  - New root CA certificate created
2020-08-25T11:02:42.2288399Z 4296 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - There is/are 10 newer addons
2020-08-25T11:02:42.2289525Z 6265 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon selenium v15.2.0
2020-08-25T11:02:42.2290532Z 6439 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon selenium v15.2.0
2020-08-25T11:02:42.2291482Z 6453 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon openapi v16.0.0
2020-08-25T11:02:42.2294131Z 6473 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon openapi v16.0.0
2020-08-25T11:02:42.2295147Z 6488 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon pscanrules v29.0.0
2020-08-25T11:02:42.2296130Z 6488 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon pscanrules v29.0.0
2020-08-25T11:02:42.2297078Z 6494 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon quickstart v28.0.0
2020-08-25T11:02:42.2298061Z 6540 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon quickstart v28.0.0
2020-08-25T11:02:42.2299026Z 6555 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon webdriverlinux v19.0.0
2020-08-25T11:02:42.2300033Z 6861 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon webdriverlinux v19.0.0
2020-08-25T11:02:42.2301012Z 6866 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon ascanrules v36.0.0
2020-08-25T11:02:42.2301994Z 6888 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon ascanrules v36.0.0
2020-08-25T11:02:42.2302926Z 6900 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon fuzz v13.0.0
2020-08-25T11:02:42.2303882Z 7147 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon fuzz v13.0.0
2020-08-25T11:02:42.2304809Z 7173 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon zest v32.0.0
2020-08-25T11:02:42.2305764Z 7260 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon zest v32.0.0
2020-08-25T11:02:42.2306719Z 7387 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon websocket v22.0.0
2020-08-25T11:02:42.2307700Z 7627 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon websocket v22.0.0
2020-08-25T11:02:42.2308644Z 7770 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon hud v0.11.0
2020-08-25T11:02:42.2309572Z 7840 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon hud v0.11.0
2020-08-25T11:02:42.2310520Z 7842 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon commonlib v1.1.0
2020-08-25T11:02:42.2311560Z 7880 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Application Error Disclosure
2020-08-25T11:02:42.2312947Z 7880 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Absence of Anti-CSRF Tokens
2020-08-25T11:02:42.2314161Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
2020-08-25T11:02:42.2315319Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Charset Mismatch
2020-08-25T11:02:42.2316366Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: CSP Scanner
2020-08-25T11:02:42.2317466Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Content-Type Header Missing
2020-08-25T11:02:42.2318564Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie No HttpOnly Flag
2020-08-25T11:02:42.2319842Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Loosely Scoped Cookie
2020-08-25T11:02:42.2321135Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without SameSite Attribute
2020-08-25T11:02:42.2322294Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without Secure Flag
2020-08-25T11:02:42.2323426Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain Misconfiguration
2020-08-25T11:02:42.2324602Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
2020-08-25T11:02:42.2325813Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Debug Error Messages
2020-08-25T11:02:42.2327056Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
2020-08-25T11:02:42.2328364Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
2020-08-25T11:02:42.2329975Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Suspicious Comments
2020-08-25T11:02:42.2331163Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Weak Authentication Method
2020-08-25T11:02:42.2332260Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Insecure JSF ViewState
2020-08-25T11:02:42.2333424Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Secure Pages Include Mixed Content
2020-08-25T11:02:42.2334528Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Private IP Disclosure
2020-08-25T11:02:42.2335643Z 7881 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Session ID in URL Rewrite
2020-08-25T11:02:42.2336752Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Timestamp Disclosure
2020-08-25T11:02:42.2337830Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Username Hash Found
2020-08-25T11:02:42.2338916Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Viewstate Scanner
2020-08-25T11:02:42.2340256Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-AspNet-Version Response Header Scanner
2020-08-25T11:02:42.2341450Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Content-Type-Options Header Missing
2020-08-25T11:02:42.2342589Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Debug-Token Information Leak
2020-08-25T11:02:42.2343732Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Frame-Options Header Scanner
2020-08-25T11:02:42.2344982Z 7882 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
2020-08-25T11:02:42.2346136Z 7925 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon commonlib v1.1.0
2020-08-25T11:02:42.2347285Z 7942 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/pscanrules-release-29.zap
2020-08-25T11:02:42.2348548Z 7942 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/quickstart-release-28.zap
2020-08-25T11:02:42.2349540Z 7942 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/websocket-release-22.zap
2020-08-25T11:02:42.2350525Z 7942 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/hud-beta-0.11.0.zap
2020-08-25T11:02:42.2351501Z 7942 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/ascanrules-release-36.zap
2020-08-25T11:02:42.2352489Z 7942 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/fuzz-beta-13.0.0.zap
2020-08-25T11:02:42.2353491Z 7943 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/commonlib-release-1.1.0.zap
2020-08-25T11:02:42.2354522Z 7943 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/webdriverlinux-release-19.zap
2020-08-25T11:02:42.2355495Z 7943 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/openapi-beta-16.zap
2020-08-25T11:02:42.2356463Z 7943 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/zest-beta-32.zap
2020-08-25T11:02:42.2357438Z 7943 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/selenium-release-15.2.0.zap
2020-08-25T11:02:42.2358380Z 7943 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on update check complete
2020-08-25T11:02:42.2359462Z 7944 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v22/pscanrulesBeta-beta-22.zap
2020-08-25T11:02:42.2360820Z 7952 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesBeta-v30/ascanrulesBeta-beta-30.zap
2020-08-25T11:02:42.2361948Z 8661 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon pscanrulesBeta v22.0.0
2020-08-25T11:02:42.2363088Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
2020-08-25T11:02:42.2364327Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
2020-08-25T11:02:42.2365446Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Directory Browsing
2020-08-25T11:02:42.2366542Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Hash Disclosure
2020-08-25T11:02:42.2367863Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
2020-08-25T11:02:42.2369236Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
2020-08-25T11:02:42.2374353Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
2020-08-25T11:02:42.2375564Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Reverse Tabnabbing
2020-08-25T11:02:42.2376655Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Modern Web Application
2020-08-25T11:02:42.2378006Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: PII Disclosure
2020-08-25T11:02:42.2379106Z 8684 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Retrieved from Cache
2020-08-25T11:02:42.2380243Z 8685 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP Server Response Header Scanner
2020-08-25T11:02:42.2381381Z 8685 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP Parameter Override
2020-08-25T11:02:42.2382538Z 8685 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Strict-Transport-Security Header Scanner
2020-08-25T11:02:42.2383694Z 8686 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: User Controllable Charset
2020-08-25T11:02:42.2384800Z 8687 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Poisoning
2020-08-25T11:02:42.2387456Z 8687 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
2020-08-25T11:02:42.2389139Z 8687 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: User Controllable JavaScript Event (XSS)
2020-08-25T11:02:42.2390273Z 8687 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Open Redirect
2020-08-25T11:02:42.2391400Z 8687 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Backend-Server Header Information Leak
2020-08-25T11:02:42.2392634Z 8687 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
2020-08-25T11:02:42.2393751Z 8689 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon pscanrulesBeta v22.0.0
2020-08-25T11:02:42.2394747Z 8692 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Installing new addon ascanrulesBeta v30.0.0
2020-08-25T11:02:42.2395748Z 8754 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Finished installing new addon ascanrulesBeta v30.0.0
2020-08-25T11:02:42.2396743Z 8953 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/pscanrules-release-29.zap
2020-08-25T11:02:42.2397760Z 8953 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/quickstart-release-28.zap
2020-08-25T11:02:42.2398749Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/websocket-release-22.zap
2020-08-25T11:02:42.2399953Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/hud-beta-0.11.0.zap
2020-08-25T11:02:42.2400944Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/ascanrules-release-36.zap
2020-08-25T11:02:42.2401935Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/fuzz-beta-13.0.0.zap
2020-08-25T11:02:42.2402925Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/commonlib-release-1.1.0.zap
2020-08-25T11:02:42.2403947Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/webdriverlinux-release-19.zap
2020-08-25T11:02:42.2404923Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/openapi-beta-16.zap
2020-08-25T11:02:42.2406061Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/zest-beta-32.zap
2020-08-25T11:02:42.2407063Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/selenium-release-15.2.0.zap
2020-08-25T11:02:42.2408079Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/pscanrulesBeta-beta-22.zap
2020-08-25T11:02:42.2409362Z 8954 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on downloaded to: /root/.ZAP/plugin/ascanrulesBeta-beta-30.zap
2020-08-25T11:02:42.2410405Z 8955 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 0.0.0.0:55382
2020-08-25T11:02:42.2410929Z ERROR ZAP failed to access: http://172.17.0.1:8080
2020-08-25T11:02:43.8659287Z ##[error]ENOENT: no such file or directory, open '/home/vsts/work/r1/a/owaspzap/report.json'

any help would be appreciated.
let me know if more information are needed

How to implement Ajax Spider option during testing for SPA apps.

I am getting error saying "Modern Web Application"
After checking OWASP Documentation link: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/
It shows that we should use Ajax based spider to test. How to implement this option in Azure DevOps Task: owaspzap@1

Reporting outputs are empty since latest OWASPZAP Docker image update

Since the recent OWASP ZAP Docker image was changed on 7th October 2021 - this AZDO task has broken irreparably. I found that the report output coming out of this task was empty, therefore breaking the reporting out

I've since had no option but to stop using this task and fix our pipelines

For anyone else struggling, my pipeline looks like this - you will see I no longer use this task. I hope this helps someone else struggling - Cheers

# AZDO YAML Pipeline for OWASP ZAP Docker to a run baseline scan against a website URL
# Neil McA - Oct 2021

# A few sources used for this...
# OWASP ZAP Docker Image: https://www.zaproxy.org/docs/docker/about/
# zap-baseline.py reference: https://www.zaproxy.org/docs/docker/baseline-scan/
# Post N-Unit format reporting: https://github.com/microsoft/CSEDevOps/blob/main/Zap/README.md#install-handlebars

name: $(date:yyyyMMdd)$(rev:.r)-$(Build.SourceBranch)

trigger:
- main
- master

stages:
- stage: OWASP_ZAP_Stage # !CHANGE! per env
  jobs:
    - job : OWASP_ZAP
      variables: 
        websiteurl: 'www.kylie.com'     
      pool:
        vmImage: 'ubuntu-latest'
      steps:
      - task: Bash@3
        displayName: 'Prepare OWASPZAP output directory for Docker'
        inputs:
          targetType: 'inline'
          script: |
            sudo mkdir $(System.DefaultWorkingDirectory)/owaspzap
            sudo chmod -R 777 $(System.DefaultWorkingDirectory)/owaspzap
      - task: Bash@3
        displayName: 'Run OWASPZAP Docker Image and scan $(websiteurl)'
        inputs:
          targetType: 'inline'
          script: |
            docker run -t -v $(System.DefaultWorkingDirectory)/owaspzap:/zap/wrk:rw owasp/zap2docker-stable zap-baseline.py -t http://$(websiteurl) -J report.json -I
      - bash: |
          sudo npm install -g handlebars-cmd

          cat <<EOF > owaspzap/nunit-template.hbs

          <test-run
              id="2"
              name="Owasp test"
              start-time="{{@generated}}">
              {{#each site}}<test-suite
                  id="{{@index}}"
                  type="Assembly"
                  name="{{[@name]}}"
                  result="Failed"
                  failed="{{alerts.length}}">
                  <attachments>
                      <attachment>
                          <filePath>$BUILD_SOURCESDIRECTORY/owaspzap/report.html</filePath>
                      </attachment>
                  </attachments>
                  {{#each alerts}}<test-case
                      id="{{@index}}"
                      name="{{alert}}"
                      result="Failed"
                      fullname="{{alert}}"
                      time="1">
                      <failure>
                          <message>
                              <![CDATA[{{{desc}}}]]>
                          </message>
                          <stack-trace>
                              <![CDATA[
          Solution:
          {{{solution}}}

          Reference:
          {{{reference}}}

          instances:{{#each instances}}
          * {{uri}}
              - {{method}}
              {{#if evidence}}- {{{evidence}}}{{/if}}
                              {{/each}}]]>
                          </stack-trace>
                      </failure>
                  </test-case>
                  {{/each}}
              </test-suite>
              {{/each}}
          </test-run>
          EOF
        displayName: 'OWASP NUnit template'
      - bash: ' handlebars owaspzap/report.json < owaspzap/nunit-template.hbs > owaspzap/$(websiteurl).xml'
        displayName: 'Generate NUnit type file for $(websiteurl)'
      # Publish results to AZDO Test page                                                             
      - task: PublishTestResults@2
        displayName: 'Publish Test Results to AZDO'
        inputs:
          testResultsFormat: NUnit
          testResultsFiles: 'owaspzap/$(websiteurl).xml'
          testRunTitle: '$(websiteurl)'

EISDIR: illegal operation on a directory, read

I encounter some trouble when using RunPipelines,
I have trouble to figure out what to do with the current output

############### Starting task execution ###############
INFO: Setting AZURE_DEVOPS_EXT_PAT
Task failed with the following: EISDIR: illegal operation on a directory, read
##[error]EISDIR: illegal operation on a directory, read
############## Completing task execution ##############

It seem that I properly setup the Azure devops service connection using Pat and full access.

task implementation

      - task: RunPipelines@2
        inputs:
          serviceConnection: 'OrchestratorTest'
          project: 'myProject'
          folderPath: './pipelines/orchestrator/build.yml'
          buildDefinition: 'Orchestrator-Build'
          setBranch: true
          waitForQueuedBuildsToFinish: true
          waitRefreshTime: '30'
          waitTimeOut: '120'
          artifactDropDirectory: '$(System.DefaultWorkingDirectory)'
          storeInOutputVariable: true
          allowPartiallySucceeded: false
          failBuildIfTaskFails: true
          customPrefix: 'Orchestrator_'

and the folder strucuture (we are on master.yml)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.