dast
Passed Started
by
@dbodicherla
Dhiraj Bodicherla
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 13.0.0-rc2 (926834bc)2 on docker-auto-scale fa6cab464Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...6Using docker image sha256:a917421ce5a637d798e28e07b04d3b236ec24c9898805f5dd17895dc7f946fab for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...8Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1590090633-961ab656...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup15Downloading artifacts for dast_environment_deploy (37227566)...16Downloading artifacts from coordinator... ok id=37227566 responseStatus=200 OK token=D-MAvsFf18$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}19$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi20$ /analyze212020-05-21 19:52:35,734 using Python 3.6.9 (default, Nov 7 2019, 10:44:02) [GCC 8.3.0]222020-05-21 19:52:35,734 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available232020-05-21 19:52:35,734 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io242020-05-21 19:52:38,920 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io252020-05-21 19:52:41,994 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io262020-05-21 19:52:45,070 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io272020-05-21 19:52:48,148 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io282020-05-21 19:52:51,224 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io292020-05-21 19:52:54,301 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io302020-05-21 19:52:57,377 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io312020-05-21 19:53:00,458 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io322020-05-21 19:53:03,539 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io332020-05-21 19:53:06,615 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io342020-05-21 19:53:09,692 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io352020-05-21 19:53:12,769 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io362020-05-21 19:53:15,845 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io372020-05-21 19:53:18,925 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io382020-05-21 19:53:22,000 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io392020-05-21 19:53:25,077 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io402020-05-21 19:53:28,153 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io412020-05-21 19:53:31,229 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io422020-05-21 19:53:34,306 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io432020-05-21 19:53:34,379 http://dast-4422333-dast-default.34.67.11.220.nip.io could not be reached, attempting scan anyway442020-05-21 19:53:34,379 starting scan452020-05-21 19:53:34,380 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-J', 'gl-dast-report.json'), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -silent')]462020-05-21 19:53:34,381 Params: ['zap-x.sh', '-daemon', '-port', '52119', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-silent']47May 21, 2020 7:53:40 PM java.util.prefs.FileSystemPreferences$1 run48INFO: Created user preferences directory.49[zap.out] Found Java version 1.8.0_24250[zap.out] Available memory: 3693 MB51[zap.out] Using JVM args: -Xmx923m52[zap.out] 424 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-02-10 started 21/05/20 19:53:35 with home /root/.ZAP_D/53[zap.out] 481 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null54[zap.out] 483 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null55[zap.out] 484 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null56[zap.out] 484 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null57[zap.out] 484 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null58[zap.out] 496 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...59[zap.out] 496 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...60[zap.out] 681 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]61[zap.out] 690 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.62[zap.out] 1405 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start63[zap.out] 1418 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end64[zap.out] 1535 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions65[zap.out] 4931 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=34.0.0], [id=ascanrulesBeta, version=27.0.0], [id=bruteforce, version=9.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=6.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=15.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=28.0.0], [id=pscanrulesBeta, version=21.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=17.0.0], [id=webdrivermacos, version=16.0.0], [id=webdriverwindows, version=17.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]66[zap.out] 5514 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded67[zap.out] 6201 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates68[zap.out] 6205 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension69[zap.out] 6206 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension70[zap.out] 6206 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP71[zap.out] 6217 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension72[zap.out] 6218 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension73[zap.out] 6219 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension74[zap.out] 6220 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields75[zap.out] 6224 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions76[zap.out] 6226 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...77[zap.out] 6226 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses78[zap.out] 6230 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner79[zap.out] 6378 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules80[zap.out] 6378 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule81[zap.out] 6378 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure82[zap.out] 6378 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens83[zap.out] 6381 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set84[zap.out] 6381 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch85[zap.out] 6382 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner86[zap.out] 6382 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing87[zap.out] 6382 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag88[zap.out] 6382 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie89[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute90[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag91[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration92[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion93[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages94[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL95[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header96[zap.out] 6386 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments97[zap.out] 6387 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method98[zap.out] 6387 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState99[zap.out] 6387 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content100[zap.out] 6387 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure101[zap.out] 6388 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite102[zap.out] 6388 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure103[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found104[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner105[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner106[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing107[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak108[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner109[zap.out] 6389 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)110[zap.out] 6390 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)111[zap.out] 6390 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set112[zap.out] 6390 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing113[zap.out] 6390 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure114[zap.out] 6390 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)115[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post116[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post117[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing118[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Scanner119[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache120[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner121[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override122[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner123[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset124[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning125[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)126[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)127[zap.out] 6391 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect128[zap.out] 6392 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak129[zap.out] 6392 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak130[zap.out] 6411 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts131[zap.out] 6413 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added132[zap.out] 6425 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence133[zap.out] 6425 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site134[zap.out] 6441 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks135[zap.out] 6442 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool136[zap.out] 6444 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner137[zap.out] 6445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension138[zap.out] 6445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences139[zap.out] 6445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters140[zap.out] 6445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens141[zap.out] 6458 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension142[zap.out] 6505 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]143[zap.out] 6506 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser144[zap.out] 6507 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only145[zap.out] 6507 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension146[zap.out] 6509 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies147[zap.out] 6510 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration148[zap.out] 6542 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages149[zap.out] 6800 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension150[zap.out] 6801 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions151[zap.out] 6805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools152[zap.out] 7125 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff153[zap.out] 7129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension154[zap.out] 7129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration155[zap.out] 7129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension156[zap.out] 7136 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]157[zap.out] 7137 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension158[zap.out] 7142 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.159[zap.out] 7159 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree160[zap.out] 7159 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.161[zap.out] 7159 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension162[zap.out] 7160 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax163[zap.out] 7161 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.164[zap.out] 7174 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations165[zap.out] 7174 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.166[zap.out] 7179 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs167[zap.out] 7179 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree168[zap.out] 7179 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide169[zap.out] 7180 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites170[zap.out] 7181 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts171[zap.out] 7182 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension172[zap.out] 7182 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension173[zap.out] 7182 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension174[zap.out] 7182 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension175[zap.out] 7183 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension176[zap.out] 7184 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension177[zap.out] 7185 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension178[zap.out] 7186 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.179[zap.out] 7186 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration180[zap.out] 7194 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics181[zap.out] 7196 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats182[zap.out] 7197 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.183[zap.out] 7202 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files184[zap.out] 7202 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.185[zap.out] 7204 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.186[zap.out] 7204 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks187[zap.out] 7205 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta188[zap.out] 7205 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 189[zap.out] 7225 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage190[zap.out] 7226 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter191[zap.out] 7228 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.192[zap.out] 7228 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules193[zap.out] 7228 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules194[zap.out] 7228 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide195[zap.out] 7228 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses196[zap.out] 7231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links197[zap.out] 7231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage198[zap.out] 7231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications199[zap.out] 7232 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled200[zap.out] 7232 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan201[zap.out] 7232 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP202[zap.out] 7232 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP203[zap.out] 7233 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display204[zap.out] 7345 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch205[zap.out] 7346 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta206[zap.out] 7626 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:41033207[zap.out] 7626 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate208[zap.out] 9421 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created209[zap.out] 9431 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:52119210[zap.out] 9431 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled211[zap.out] 9631 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session212[zap.out] 9685 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session213[zap.out] 9686 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db214[zap.out] 9699 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start215[zap.out] 9702 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end216[zap.out] 9707 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed217[zap.out] 9963 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start218[zap.out] 9967 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end219[zap.out] 12661 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Co2020-05-21 19:53:53,111 The following 4 URLs were scanned:224Total of 3 URLs225PASS: Cookie No HttpOnly Flag [10010]226PASS: Cookie Without Secure Flag [10011]227PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]228PASS: Cross-Domain JavaScript Source File Inclusion [10017]229PASS: Content-Type Header Missing [10019]230PASS: X-Frame-Options Header Scanner [10020]231PASS: X-Content-Type-Options Header Missing [10021]232PASS: Information Disclosure - Debug Error Messages [10023]233PASS: Information Disclosure - Sensitive Information in URL [10024]234PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]235PASS: HTTP Parameter Override [10026]236PASS: Information Disclosure - Suspicious Comments [10027]237PASS: Open Redirect [10028]238PASS: Cookie Poisoning [10029]239PASS: User Controllable Charset [10030]240PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]241PASS: Viewstate Scanner [10032]242PASS: Directory Browsing [10033]243PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]244PASS: Strict-Transport-Security Header Scanner [10035]245PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]246PASS: Content Security Policy (CSP) Header Not Set [10038]247PASS: X-Backend-Server Header Information Leak [10039]248PASS: Secure Pages Include Mixed Content [10040]249PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]250PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]251PASS: User Controllable JavaScript Event (XSS) [10043]252PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]253PASS: Retrieved from Cache [10050]254PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]255PASS: Cookie Without SameSite Attribute [10054]256PASS: CSP Scanner [10055]257PASS: X-Debug-Token Information Leak [10056]258PASS: Username Hash Found [10057]259PASS: X-AspNet-Version Response Header Scanner [10061]260PASS: PII Scanner [10062]261PASS: Timestamp Disclosure [10096]262PASS: Hash Disclosure [10097]263PASS: Cross-Domain Misconfiguration [10098]264PASS: Weak Authentication Method [10105]265PASS: Reverse Tabnabbing [10108]266PASS: Absence of Anti-CSRF Tokens [10202]267PASS: Private IP Disclosure [2]268PASS: Session ID in URL Rewrite [3]269PASS: Script Passive Scan Rules [50001]270PASS: Insecure JSF ViewState [90001]271PASS: Charset Mismatch [90011]272PASS: Application Error Disclosure [90022]273PASS: Loosely Scoped Cookie [90033]274WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 4 275 http://dast-4422333-dast-default.34.67.11.220.nip.io/ (404 Not Found)276 http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt (404 Not Found)277 http://dast-4422333-dast-default.34.67.11.220.nip.io (404 Not Found)278 http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml (404 Not Found)279FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 1 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 49280cat: /tmp/.X1-lock: No such file or directory281/zap/zap-x.sh: 10: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or282kill -l [exitstatus]286Uploading artifacts...287gl-dast-report.json: found 1 matching files 288Uploading artifacts to coordinator... ok id=37227567 responseStatus=201 Created token=Cm6JtAMF289Job succeeded