dast
Passed Started
by
@astoicescu
Andrei Stoicescu
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 12.9.0 (4c96e5ad)2 on docker-auto-scale fa6cab464Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/dast:1 ...6Using docker image sha256:5e5fe6123f53ae01515941b1f4f33cdb74987085d4c296b9d4111101a83b55eb for registry.gitlab.com/gitlab-org/security-products/dast:1 ...8Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1586147938-4a7cfda2...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup15Downloading artifacts for dast_environment_deploy (37139622)...16Downloading artifacts from coordinator... ok id=37139622 responseStatus=200 OK token=vSnYDzmi18$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}19$ /analyze -t $DAST_WEBSITE202020-04-06 04:41:04,263 using Python 3.6.9 (default, Nov 7 2019, 10:44:02) [GCC 8.3.0]212020-04-06 04:41:04,264 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available222020-04-06 04:41:04,264 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io232020-04-06 04:41:04,618 starting scan242020-04-06 04:41:04,620 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-J', 'gl-dast-report.json'), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -addonupdate')]252020-04-06 04:41:04,620 Params: ['zap-x.sh', '-daemon', '-port', '49265', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-addonupdate']26Apr 06, 2020 4:41:10 AM java.util.prefs.FileSystemPreferences$1 run27INFO: Created user preferences directory.28[zap.out] Found Java version 1.8.0_24229[zap.out] Available memory: 3693 MB30[zap.out] Using JVM args: -Xmx923m31[zap.out] 405 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-02-10 started 06/04/20 04:41:05 with home /root/.ZAP_D/32[zap.out] 493 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null33[zap.out] 493 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null34[zap.out] 493 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null35[zap.out] 493 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null36[zap.out] 496 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null37[zap.out] 507 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...38[zap.out] 512 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...39[zap.out] 679 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]40[zap.out] 688 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.41[zap.out] 1447 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start42[zap.out] 1458 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end43[zap.out] 1588 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions44[zap.out] 4518 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=34.0.0], [id=ascanrulesBeta, version=27.0.0], [id=bruteforce, version=9.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=15.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=27.0.0], [id=pscanrulesBeta, version=21.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.1.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=17.0.0], [id=webdrivermacos, version=16.0.0], [id=webdriverwindows, version=17.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]45[zap.out] 4973 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded46[zap.out] 5272 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates47[zap.out] 5280 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension48[zap.out] 5281 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension49[zap.out] 5281 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP50[zap.out] 5294 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension51[zap.out] 5295 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension52[zap.out] 5296 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension53[zap.out] 5297 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields54[zap.out] 5302 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions55[zap.out] 5305 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...56[zap.out] 5305 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses57[zap.out] 5306 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner58[zap.out] 5445 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules59[zap.out] 5445 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule60[zap.out] 5445 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure61[zap.out] 5446 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens62[zap.out] 5447 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set63[zap.out] 5447 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch64[zap.out] 5447 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner65[zap.out] 5447 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing66[zap.out] 5447 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag67[zap.out] 5447 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie68[zap.out] 5448 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute69[zap.out] 5448 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag70[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration71[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion72[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages73[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL74[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header75[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments76[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method77[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState78[zap.out] 5449 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content79[zap.out] 5450 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure80[zap.out] 5450 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite81[zap.out] 5450 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure82[zap.out] 5450 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found83[zap.out] 5451 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner84[zap.out] 5454 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner85[zap.out] 5454 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing86[zap.out] 5455 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak87[zap.out] 5455 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner88[zap.out] 5455 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)89[zap.out] 5455 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)90[zap.out] 5455 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set91[zap.out] 5455 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing92[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure93[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)94[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post95[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post96[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing97[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Scanner98[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache99[zap.out] 5456 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner100[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override101[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner102[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset103[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning104[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)105[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)106[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect107[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak108[zap.out] 5457 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak109[zap.out] 5485 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts110[zap.out] 5488 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added111[zap.out] 5505 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence112[zap.out] 5505 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site113[zap.out] 5516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks114[zap.out] 5518 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool115[zap.out] 5522 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner116[zap.out] 5523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension117[zap.out] 5523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences118[zap.out] 5523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters119[zap.out] 5523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens120[zap.out] 5530 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension121[zap.out] 5544 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]122[zap.out] 5545 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser123[zap.out] 5546 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only124[zap.out] 5546 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension125[zap.out] 5554 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies126[zap.out] 5555 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration127[zap.out] 5574 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages128[zap.out] 5827 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension129[zap.out] 5828 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions130[zap.out] 5831 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools131[zap.out] 6149 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff132[zap.out] 6154 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension133[zap.out] 6154 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration134[zap.out] 6154 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension135[zap.out] 6161 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]136[zap.out] 6162 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension137[zap.out] 6163 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.138[zap.out] 6180 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree139[zap.out] 6180 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.140[zap.out] 6180 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension141[zap.out] 6181 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax142[zap.out] 6182 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.143[zap.out] 6195 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations144[zap.out] 6196 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.145[zap.out] 6196 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs146[zap.out] 6196 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree147[zap.out] 6197 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide148[zap.out] 6197 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites149[zap.out] 6199 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts150[zap.out] 6200 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension151[zap.out] 6201 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension152[zap.out] 6201 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension153[zap.out] 6201 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension154[zap.out] 6202 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension155[zap.out] 6203 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension156[zap.out] 6207 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension157[zap.out] 6209 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.158[zap.out] 6209 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration159[zap.out] 6212 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics160[zap.out] 6214 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats161[zap.out] 6215 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.162[zap.out] 6220 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files163[zap.out] 6220 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules164[zap.out] 6220 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.165[zap.out] 6222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.166[zap.out] 6222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks167[zap.out] 6222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta168[zap.out] 6223 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 169[zap.out] 6249 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage170[zap.out] 6250 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter171[zap.out] 6256 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.172[zap.out] 6257 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules173[zap.out] 6257 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide174[zap.out] 6257 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses175[zap.out] 6260 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links176[zap.out] 6260 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage177[zap.out] 6260 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications178[zap.out] 6270 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan179[zap.out] 6270 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP180[zap.out] 6270 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP181[zap.out] 6270 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display182[zap.out] 6434 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch183[zap.out] 6435 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta184[zap.out] 6827 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:46177185[zap.out] 6827 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate186[zap.out] 7841 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created187[zap.out] 8853 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - There is/are 1 newer addons188[zap.out] 10656 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon selenium v15.2.0189[zap.out] 11026 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon selenium v15.2.0190[zap.out] 11079 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP_D/plugin/selenium-release-15.2.0.zap191[zap.out] 11079 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete192[zap.out] 11080 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:49265193[zap.out] 11524 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session194[zap.out] 11543 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session195[zap.out] 11544 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db196[zap.out] 11565 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start197[zap.out] 11568 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end198[zap.out] 11574 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3D2020-04-06 04:41:26,138 The following 4 URLs were scanned:203Total of 4 URLs204PASS: Cookie No HttpOnly Flag [10010]205PASS: Cookie Without Secure Flag [10011]206PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]207PASS: Cross-Domain JavaScript Source File Inclusion [10017]208PASS: Content-Type Header Missing [10019]209PASS: X-Frame-Options Header Scanner [10020]210PASS: X-Content-Type-Options Header Missing [10021]211PASS: Information Disclosure - Debug Error Messages [10023]212PASS: Information Disclosure - Sensitive Information in URL [10024]213PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]214PASS: HTTP Parameter Override [10026]215PASS: Information Disclosure - Suspicious Comments [10027]216PASS: Open Redirect [10028]217PASS: Cookie Poisoning [10029]218PASS: User Controllable Charset [10030]219PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]220PASS: Viewstate Scanner [10032]221PASS: Directory Browsing [10033]222PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]223PASS: Strict-Transport-Security Header Scanner [10035]224PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]225PASS: Content Security Policy (CSP) Header Not Set [10038]226PASS: X-Backend-Server Header Information Leak [10039]227PASS: Secure Pages Include Mixed Content [10040]228PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]229PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]230PASS: User Controllable JavaScript Event (XSS) [10043]231PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]232PASS: Retrieved from Cache [10050]233PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]234PASS: Cookie Without SameSite Attribute [10054]235PASS: CSP Scanner [10055]236PASS: X-Debug-Token Information Leak [10056]237PASS: Username Hash Found [10057]238PASS: X-AspNet-Version Response Header Scanner [10061]239PASS: PII Scanner [10062]240PASS: Timestamp Disclosure [10096]241PASS: Hash Disclosure [10097]242PASS: Cross-Domain Misconfiguration [10098]243PASS: Weak Authentication Method [10105]244PASS: Reverse Tabnabbing [10108]245PASS: Absence of Anti-CSRF Tokens [10202]246PASS: Private IP Disclosure [2]247PASS: Session ID in URL Rewrite [3]248PASS: Script Passive Scan Rules [50001]249PASS: Insecure JSF ViewState [90001]250PASS: Charset Mismatch [90011]251PASS: Application Error Disclosure [90022]252PASS: Loosely Scoped Cookie [90033]253WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 4 254 http://dast-4422333-dast-default.34.67.11.220.nip.io/ (308 Permanent Redirect)255 http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt (308 Permanent Redirect)256 http://dast-4422333-dast-default.34.67.11.220.nip.io (308 Permanent Redirect)257 http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml (308 Permanent Redirect)258FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 1 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 49259cat: /tmp/.X1-lock: No such file or directory260/zap/zap-x.sh: 10: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or261kill -l [exitstatus]265Uploading artifacts...266gl-dast-report.json: found 1 matching files 267Uploading artifacts to coordinator... ok id=37139623 responseStatus=201 Created token=-KVMUNLf268Job succeeded