dast
Passed Started
by
@astoicescu
Andrei Stoicescu
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 12.9.0-rc1 (a350f628)2 on docker-auto-scale fa6cab464Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/dast:1 ...6Using docker image sha256:1a19b3e575dab553d2f3e7dc3be88c9482a94cc811f2bd48af0c181f626837f7 for registry.gitlab.com/gitlab-org/security-products/dast:1 ...8Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1584700427-24163ae3...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup15Downloading artifacts for dast_environment_deploy (37117871)...16Downloading artifacts from coordinator... ok id=37117871 responseStatus=200 OK token=Zxx2a3K418$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}19$ /analyze -t $DAST_WEBSITE202020-03-20 10:35:52,664 using Python 3.6.9 (default, Nov 7 2019, 10:44:02) [GCC 8.3.0]212020-03-20 10:35:52,664 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available222020-03-20 10:35:52,665 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io232020-03-20 10:35:55,746 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io242020-03-20 10:35:58,820 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io252020-03-20 10:36:01,897 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io262020-03-20 10:36:05,011 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io272020-03-20 10:36:08,088 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io282020-03-20 10:36:11,161 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io292020-03-20 10:36:14,238 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io302020-03-20 10:36:17,314 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io312020-03-20 10:36:20,390 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io322020-03-20 10:36:23,474 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io332020-03-20 10:36:26,691 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io342020-03-20 10:36:29,908 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io352020-03-20 10:36:33,125 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io362020-03-20 10:36:33,822 starting scan372020-03-20 10:36:33,823 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-J', 'gl-dast-report.json'), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -addonupdate')]382020-03-20 10:36:33,824 Params: ['zap-x.sh', '-daemon', '-port', '53298', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-addonupdate']39Mar 20, 2020 10:36:40 AM java.util.prefs.FileSystemPreferences$1 run40INFO: Created user preferences directory.41[zap.out] Found Java version 1.8.0_24242[zap.out] Available memory: 3693 MB43[zap.out] Using JVM args: -Xmx923m44[zap.out] 419 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-02-10 started 20/03/20 10:36:35 with home /root/.ZAP_D/45[zap.out] 478 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null46[zap.out] 489 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null47[zap.out] 489 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null48[zap.out] 489 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null49[zap.out] 490 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null50[zap.out] 497 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...51[zap.out] 502 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...52[zap.out] 673 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]53[zap.out] 682 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.54[zap.out] 1444 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start55[zap.out] 1452 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end56[zap.out] 1570 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions57[zap.out] 4410 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=34.0.0], [id=ascanrulesBeta, version=27.0.0], [id=bruteforce, version=9.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=15.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=27.0.0], [id=pscanrulesBeta, version=21.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.1.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=17.0.0], [id=webdrivermacos, version=16.0.0], [id=webdriverwindows, version=17.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]58[zap.out] 5085 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded59[zap.out] 5478 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates60[zap.out] 5488 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension61[zap.out] 5489 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension62[zap.out] 5489 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP63[zap.out] 5517 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension64[zap.out] 5517 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension65[zap.out] 5519 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension66[zap.out] 5523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields67[zap.out] 5528 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions68[zap.out] 5533 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...69[zap.out] 5535 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses70[zap.out] 5538 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner71[zap.out] 5760 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules72[zap.out] 5764 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule73[zap.out] 5764 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure74[zap.out] 5764 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens75[zap.out] 5766 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set76[zap.out] 5766 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch77[zap.out] 5767 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner78[zap.out] 5767 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing79[zap.out] 5767 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag80[zap.out] 5767 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie81[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute82[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag83[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration84[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion85[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages86[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL87[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header88[zap.out] 5771 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments89[zap.out] 5772 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method90[zap.out] 5772 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState91[zap.out] 5773 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content92[zap.out] 5773 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure93[zap.out] 5773 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite94[zap.out] 5773 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure95[zap.out] 5773 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found96[zap.out] 5774 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner97[zap.out] 5775 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner98[zap.out] 5775 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing99[zap.out] 5775 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak100[zap.out] 5779 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner101[zap.out] 5779 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)102[zap.out] 5779 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)103[zap.out] 5779 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set104[zap.out] 5780 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing105[zap.out] 5780 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure106[zap.out] 5780 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)107[zap.out] 5780 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post108[zap.out] 5780 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post109[zap.out] 5780 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing110[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Scanner111[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache112[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner113[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override114[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner115[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset116[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning117[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)118[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)119[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect120[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak121[zap.out] 5781 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak122[zap.out] 5795 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts123[zap.out] 5799 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added124[zap.out] 5809 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence125[zap.out] 5811 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site126[zap.out] 5823 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks127[zap.out] 5824 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool128[zap.out] 5825 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner129[zap.out] 5825 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension130[zap.out] 5826 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences131[zap.out] 5826 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters132[zap.out] 5826 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens133[zap.out] 5834 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension134[zap.out] 5862 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]135[zap.out] 5863 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser136[zap.out] 5864 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only137[zap.out] 5864 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension138[zap.out] 5874 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies139[zap.out] 5875 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration140[zap.out] 5898 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages141[zap.out] 6139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension142[zap.out] 6139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions143[zap.out] 6143 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools144[zap.out] 6465 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff145[zap.out] 6465 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension146[zap.out] 6466 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration147[zap.out] 6466 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension148[zap.out] 6476 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]149[zap.out] 6477 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension150[zap.out] 6481 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.151[zap.out] 6495 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree152[zap.out] 6495 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.153[zap.out] 6496 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension154[zap.out] 6496 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax155[zap.out] 6497 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.156[zap.out] 6509 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations157[zap.out] 6510 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.158[zap.out] 6510 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs159[zap.out] 6511 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree160[zap.out] 6511 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide161[zap.out] 6511 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites162[zap.out] 6512 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts163[zap.out] 6514 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension164[zap.out] 6514 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension165[zap.out] 6514 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension166[zap.out] 6515 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension167[zap.out] 6516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension168[zap.out] 6517 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension169[zap.out] 6517 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension170[zap.out] 6519 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.171[zap.out] 6521 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration172[zap.out] 6526 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics173[zap.out] 6527 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats174[zap.out] 6528 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.175[zap.out] 6534 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files176[zap.out] 6534 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules177[zap.out] 6534 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.178[zap.out] 6536 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.179[zap.out] 6537 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks180[zap.out] 6537 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta181[zap.out] 6537 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 182[zap.out] 6561 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage183[zap.out] 6562 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter184[zap.out] 6564 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.185[zap.out] 6564 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules186[zap.out] 6565 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide187[zap.out] 6565 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses188[zap.out] 6567 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links189[zap.out] 6568 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage190[zap.out] 6568 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications191[zap.out] 6570 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan192[zap.out] 6570 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP193[zap.out] 6570 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP194[zap.out] 6570 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display195[zap.out] 6723 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch196[zap.out] 6727 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta197[zap.out] 7138 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:46143198[zap.out] 7138 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate199[zap.out] 9016 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created200[zap.out] 10028 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete201[zap.out] 10029 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:53298202[zap.out] 10222 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session203[zap.out] 10272 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session204[zap.out] 10273 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db205[zap.out] 10296 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start206[zap.out] 10299 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end207[zap.out] 10304 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed208[zap.out] 10557 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start209[zap.out] 10559 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end210[zap.out] 14513 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: Target Context at Fri Mar 20 10:36:49 UTC 2020211[zap.out] 14516 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...212[zap.out] 14540 [ZAP-SpiderInitThread-0] I2020-03-20 10:36:54,759 The following 4 URLs were scanned:217Total of 4 URLs218PASS: Cookie No HttpOnly Flag [10010]219PASS: Cookie Without Secure Flag [10011]220PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]221PASS: Cross-Domain JavaScript Source File Inclusion [10017]222PASS: Content-Type Header Missing [10019]223PASS: X-Frame-Options Header Scanner [10020]224PASS: X-Content-Type-Options Header Missing [10021]225PASS: Information Disclosure - Debug Error Messages [10023]226PASS: Information Disclosure - Sensitive Information in URL [10024]227PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]228PASS: HTTP Parameter Override [10026]229PASS: Information Disclosure - Suspicious Comments [10027]230PASS: Open Redirect [10028]231PASS: Cookie Poisoning [10029]232PASS: User Controllable Charset [10030]233PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]234PASS: Viewstate Scanner [10032]235PASS: Directory Browsing [10033]236PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]237PASS: Strict-Transport-Security Header Scanner [10035]238PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]239PASS: Content Security Policy (CSP) Header Not Set [10038]240PASS: X-Backend-Server Header Information Leak [10039]241PASS: Secure Pages Include Mixed Content [10040]242PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]243PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]244PASS: User Controllable JavaScript Event (XSS) [10043]245PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]246PASS: Retrieved from Cache [10050]247PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]248PASS: Cookie Without SameSite Attribute [10054]249PASS: CSP Scanner [10055]250PASS: X-Debug-Token Information Leak [10056]251PASS: Username Hash Found [10057]252PASS: X-AspNet-Version Response Header Scanner [10061]253PASS: PII Scanner [10062]254PASS: Timestamp Disclosure [10096]255PASS: Hash Disclosure [10097]256PASS: Cross-Domain Misconfiguration [10098]257PASS: Weak Authentication Method [10105]258PASS: Reverse Tabnabbing [10108]259PASS: Absence of Anti-CSRF Tokens [10202]260PASS: Private IP Disclosure [2]261PASS: Session ID in URL Rewrite [3]262PASS: Script Passive Scan Rules [50001]263PASS: Insecure JSF ViewState [90001]264PASS: Charset Mismatch [90011]265PASS: Application Error Disclosure [90022]266PASS: Loosely Scoped Cookie [90033]267WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 4 268 http://dast-4422333-dast-default.34.67.11.220.nip.io/ (308 Permanent Redirect)269 http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt (308 Permanent Redirect)270 http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml (308 Permanent Redirect)271 http://dast-4422333-dast-default.34.67.11.220.nip.io (308 Permanent Redirect)272FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 1 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 49276Uploading artifacts...277gl-dast-report.json: found 1 matching files 278Uploading artifacts to coordinator... ok id=37117872 responseStatus=201 Created token=rd2sjjys279Job succeeded