dast
Passed Started
by
@mrincon
Miguel Rincon
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 13.1.0-rc1 (b9d289ed)2 on docker-auto-scale fa6cab464Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...6Using docker image sha256:981ecf893df7870cd383f7b4b083b5886a7eb1c15ddf225b10a75ae865758af4 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...8Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1592802978-514efaac...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup14Downloading artifacts for dast_environment_deploy (37263226)...15Downloading artifacts from coordinator... ok id=37263226 responseStatus=200 OK token=A_bYZyb617$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}18$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi19$ /analyze202020-06-22 05:18:15,061 using Python 3.6.9 (default, Nov 7 2019, 10:44:02) [GCC 8.3.0]212020-06-22 05:18:15,061 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available222020-06-22 05:18:15,062 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io232020-06-22 05:18:18,262 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io242020-06-22 05:18:21,451 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io252020-06-22 05:18:24,634 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io262020-06-22 05:18:27,818 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io272020-06-22 05:18:30,897 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io282020-06-22 05:18:34,079 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io292020-06-22 05:18:37,157 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io302020-06-22 05:18:40,233 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io312020-06-22 05:18:43,313 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io322020-06-22 05:18:46,496 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io332020-06-22 05:18:49,581 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io342020-06-22 05:18:52,660 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io352020-06-22 05:18:55,739 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io362020-06-22 05:18:58,922 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io372020-06-22 05:19:02,002 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io382020-06-22 05:19:05,079 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io392020-06-22 05:19:08,157 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io402020-06-22 05:19:11,235 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io412020-06-22 05:19:14,314 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io422020-06-22 05:19:14,391 http://dast-4422333-dast-default.34.67.11.220.nip.io could not be reached, attempting scan anyway432020-06-22 05:19:14,392 starting scan442020-06-22 05:19:14,393 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-m', 1), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -silent')]452020-06-22 05:19:14,394 Params: ['zap-x.sh', '-daemon', '-port', '58695', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-silent']46Jun 22, 2020 5:19:21 AM java.util.prefs.FileSystemPreferences$1 run47INFO: Created user preferences directory.48[zap.out] Found Java version 1.8.0_24249[zap.out] Available memory: 3693 MB50[zap.out] Using JVM args: -Xmx923m51[zap.out] 413 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-02-10 started 22/06/20 05:19:15 with home /root/.ZAP_D/52[zap.out] 472 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null53[zap.out] 476 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null54[zap.out] 476 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null55[zap.out] 476 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null56[zap.out] 477 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null57[zap.out] 491 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...58[zap.out] 491 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...59[zap.out] 667 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]60[zap.out] 681 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.61[zap.out] 1422 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start62[zap.out] 1433 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end63[zap.out] 1545 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions64[zap.out] 4845 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=34.0.0], [id=ascanrulesBeta, version=27.0.0], [id=bruteforce, version=9.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=6.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=15.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=28.0.0], [id=pscanrulesBeta, version=21.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=17.0.0], [id=webdrivermacos, version=16.0.0], [id=webdriverwindows, version=17.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]65[zap.out] 5439 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded66[zap.out] 6399 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates67[zap.out] 6403 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension68[zap.out] 6403 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension69[zap.out] 6404 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP70[zap.out] 6423 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension71[zap.out] 6423 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension72[zap.out] 6424 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension73[zap.out] 6425 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields74[zap.out] 6429 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions75[zap.out] 6431 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...76[zap.out] 6431 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses77[zap.out] 6432 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner78[zap.out] 6597 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules79[zap.out] 6601 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule80[zap.out] 6601 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure81[zap.out] 6601 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens82[zap.out] 6603 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set83[zap.out] 6603 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch84[zap.out] 6603 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner85[zap.out] 6603 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing86[zap.out] 6603 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag87[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie88[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute89[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag90[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration91[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion92[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages93[zap.out] 6604 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL94[zap.out] 6605 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header95[zap.out] 6605 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments96[zap.out] 6605 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method97[zap.out] 6605 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState98[zap.out] 6605 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content99[zap.out] 6606 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure100[zap.out] 6606 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite101[zap.out] 6610 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure102[zap.out] 6610 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found103[zap.out] 6610 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner104[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner105[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing106[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak107[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner108[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)109[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)110[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set111[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing112[zap.out] 6611 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure113[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)114[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post115[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post116[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing117[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Scanner118[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache119[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner120[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override121[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner122[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset123[zap.out] 6612 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning124[zap.out] 6613 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)125[zap.out] 6613 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)126[zap.out] 6613 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect127[zap.out] 6613 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak128[zap.out] 6613 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak129[zap.out] 6643 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts130[zap.out] 6645 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added131[zap.out] 6660 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence132[zap.out] 6664 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site133[zap.out] 6676 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks134[zap.out] 6677 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool135[zap.out] 6678 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner136[zap.out] 6679 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension137[zap.out] 6679 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences138[zap.out] 6679 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters139[zap.out] 6679 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens140[zap.out] 6690 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension141[zap.out] 6715 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]142[zap.out] 6716 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser143[zap.out] 6720 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only144[zap.out] 6720 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension145[zap.out] 6722 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies146[zap.out] 6724 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration147[zap.out] 6757 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages148[zap.out] 6977 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension149[zap.out] 6983 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions150[zap.out] 6984 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools151[zap.out] 7331 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff152[zap.out] 7331 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension153[zap.out] 7331 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration154[zap.out] 7331 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension155[zap.out] 7341 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]156[zap.out] 7342 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension157[zap.out] 7346 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.158[zap.out] 7361 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree159[zap.out] 7361 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.160[zap.out] 7361 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension161[zap.out] 7361 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax162[zap.out] 7362 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.163[zap.out] 7372 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations164[zap.out] 7376 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.165[zap.out] 7377 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs166[zap.out] 7377 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree167[zap.out] 7380 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide168[zap.out] 7380 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites169[zap.out] 7381 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts170[zap.out] 7382 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension171[zap.out] 7382 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension172[zap.out] 7382 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension173[zap.out] 7382 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension174[zap.out] 7383 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension175[zap.out] 7384 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension176[zap.out] 7384 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension177[zap.out] 7387 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.178[zap.out] 7390 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration179[zap.out] 7392 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics180[zap.out] 7393 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats181[zap.out] 7398 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.182[zap.out] 7399 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files183[zap.out] 7399 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.184[zap.out] 7401 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.185[zap.out] 7402 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks186[zap.out] 7406 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta187[zap.out] 7406 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 188[zap.out] 7429 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage189[zap.out] 7430 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter190[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.191[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules192[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules193[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide194[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses195[zap.out] 7441 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links196[zap.out] 7445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage197[zap.out] 7445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications198[zap.out] 7446 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled199[zap.out] 7446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan200[zap.out] 7446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP201[zap.out] 7446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP202[zap.out] 7447 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display203[zap.out] 7569 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch204[zap.out] 7570 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta205[zap.out] 7781 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:37905206[zap.out] 7781 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate207[zap.out] 9675 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created208[zap.out] 9682 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:58695209[zap.out] 9683 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled210[zap.out] 10526 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session211[zap.out] 10566 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session212[zap.out] 10566 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db213[zap.out] 10582 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start214[zap.out] 10585 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end215[zap.out] 10590 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed216[zap.out] 10839 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start217[zap.out] 10845 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end218[zap.out] 13547 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering sc2020-06-22 05:19:33,940 The following 4 URLs were scanned:223Total of 3 URLs224PASS: Cookie No HttpOnly Flag [10010]225PASS: Cookie Without Secure Flag [10011]226PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]227PASS: Cross-Domain JavaScript Source File Inclusion [10017]228PASS: Content-Type Header Missing [10019]229PASS: X-Frame-Options Header Scanner [10020]230PASS: X-Content-Type-Options Header Missing [10021]231PASS: Information Disclosure - Debug Error Messages [10023]232PASS: Information Disclosure - Sensitive Information in URL [10024]233PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]234PASS: HTTP Parameter Override [10026]235PASS: Information Disclosure - Suspicious Comments [10027]236PASS: Open Redirect [10028]237PASS: Cookie Poisoning [10029]238PASS: User Controllable Charset [10030]239PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]240PASS: Viewstate Scanner [10032]241PASS: Directory Browsing [10033]242PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]243PASS: Strict-Transport-Security Header Scanner [10035]244PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]245PASS: Content Security Policy (CSP) Header Not Set [10038]246PASS: X-Backend-Server Header Information Leak [10039]247PASS: Secure Pages Include Mixed Content [10040]248PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]249PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]250PASS: User Controllable JavaScript Event (XSS) [10043]251PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]252PASS: Retrieved from Cache [10050]253PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]254PASS: Cookie Without SameSite Attribute [10054]255PASS: CSP Scanner [10055]256PASS: X-Debug-Token Information Leak [10056]257PASS: Username Hash Found [10057]258PASS: X-AspNet-Version Response Header Scanner [10061]259PASS: PII Scanner [10062]260PASS: Timestamp Disclosure [10096]261PASS: Hash Disclosure [10097]262PASS: Cross-Domain Misconfiguration [10098]263PASS: Weak Authentication Method [10105]264PASS: Reverse Tabnabbing [10108]265PASS: Absence of Anti-CSRF Tokens [10202]266PASS: Private IP Disclosure [2]267PASS: Session ID in URL Rewrite [3]268PASS: Script Passive Scan Rules [50001]269PASS: Insecure JSF ViewState [90001]270PASS: Charset Mismatch [90011]271PASS: Application Error Disclosure [90022]272PASS: Loosely Scoped Cookie [90033]273WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 4 274 http://dast-4422333-dast-default.34.67.11.220.nip.io/ (404 Not Found)275 http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt (404 Not Found)276 http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml (404 Not Found)277 http://dast-4422333-dast-default.34.67.11.220.nip.io (404 Not Found)278FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 1 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 49280Uploading artifacts...281gl-dast-report.json: found 1 matching files and directories 282Uploading artifacts as "dast" to coordinator... ok id=37263227 responseStatus=201 Created token=wxhR2pA9283Job succeeded