dast
Passed Started
by
@syasonik-admin
Sarah Yasonik
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 13.1.0 (6214287e)2 on docker-auto-scale fa6cab464Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...6Using docker image sha256:fed06e9002d61e113f75f3b10e798bc26128bdfdc3e9fde8b2899e35d1f6aa58 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...8Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1594395800-a0d07419...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup14Downloading artifacts for dast_environment_deploy (37557109)...15Downloading artifacts from coordinator... ok id=37557109 responseStatus=200 OK token=uKdfpr4L17$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}18$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi19$ /analyze202020-07-10 15:45:24,004 using Python 3.6.9 (default, Nov 7 2019, 10:44:02) [GCC 8.3.0]212020-07-10 15:45:24,004 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available222020-07-10 15:45:24,004 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io232020-07-10 15:45:24,352 starting scan242020-07-10 15:45:24,353 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-m', 1), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -silent')]252020-07-10 15:45:24,354 Params: ['zap-x.sh', '-daemon', '-port', '33209', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-silent']26_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.27Jul 10, 2020 3:45:30 PM java.util.prefs.FileSystemPreferences$1 run28INFO: Created user preferences directory.29[zap.out] Found Java version 1.8.0_24230[zap.out] Available memory: 3693 MB31[zap.out] Using JVM args: -Xmx923m32[zap.out] 410 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-02-10 started 10/07/20 15:45:25 with home /home/zap/.ZAP_D/33[zap.out] 475 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null34[zap.out] 478 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null35[zap.out] 478 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null36[zap.out] 479 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null37[zap.out] 479 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null38[zap.out] 495 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...39[zap.out] 495 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...40[zap.out] 686 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]41[zap.out] 698 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.42[zap.out] 1446 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start43[zap.out] 1453 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end44[zap.out] 1575 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions45[zap.out] 4975 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=34.0.0], [id=ascanrulesBeta, version=27.0.0], [id=bruteforce, version=9.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=6.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=15.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=28.0.0], [id=pscanrulesBeta, version=21.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=17.0.0], [id=webdrivermacos, version=16.0.0], [id=webdriverwindows, version=17.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]46[zap.out] 5689 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded47[zap.out] 5987 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates48[zap.out] 5992 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension49[zap.out] 5992 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension50[zap.out] 5992 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP51[zap.out] 6011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension52[zap.out] 6011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension53[zap.out] 6016 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension54[zap.out] 6018 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields55[zap.out] 6018 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions56[zap.out] 6020 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...57[zap.out] 6021 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses58[zap.out] 6022 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner59[zap.out] 6195 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules60[zap.out] 6197 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule61[zap.out] 6198 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure62[zap.out] 6198 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens63[zap.out] 6205 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set64[zap.out] 6206 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch65[zap.out] 6206 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner66[zap.out] 6206 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing67[zap.out] 6206 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag68[zap.out] 6206 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie69[zap.out] 6206 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute70[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag71[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration72[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion73[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages74[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL75[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header76[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments77[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method78[zap.out] 6207 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState79[zap.out] 6208 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content80[zap.out] 6208 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure81[zap.out] 6209 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite82[zap.out] 6209 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure83[zap.out] 6209 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found84[zap.out] 6210 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner85[zap.out] 6210 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner86[zap.out] 6210 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing87[zap.out] 6210 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak88[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner89[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)90[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)91[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set92[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing93[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure94[zap.out] 6211 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)95[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post96[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post97[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing98[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Scanner99[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache100[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner101[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override102[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner103[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset104[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning105[zap.out] 6212 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)106[zap.out] 6216 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)107[zap.out] 6216 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect108[zap.out] 6216 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak109[zap.out] 6216 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak110[zap.out] 6231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts111[zap.out] 6236 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added112[zap.out] 6245 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence113[zap.out] 6247 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site114[zap.out] 6260 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks115[zap.out] 6260 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool116[zap.out] 6261 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner117[zap.out] 6262 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension118[zap.out] 6262 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences119[zap.out] 6262 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters120[zap.out] 6263 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens121[zap.out] 6274 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension122[zap.out] 6302 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]123[zap.out] 6304 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser124[zap.out] 6308 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only125[zap.out] 6308 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension126[zap.out] 6310 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies127[zap.out] 6312 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration128[zap.out] 6346 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages129[zap.out] 6603 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension130[zap.out] 6606 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions131[zap.out] 6608 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools132[zap.out] 6956 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff133[zap.out] 6956 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension134[zap.out] 6956 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration135[zap.out] 6956 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension136[zap.out] 6969 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]137[zap.out] 6970 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension138[zap.out] 6970 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.139[zap.out] 6989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree140[zap.out] 6989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.141[zap.out] 6990 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension142[zap.out] 6990 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax143[zap.out] 6991 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.144[zap.out] 7003 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations145[zap.out] 7004 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.146[zap.out] 7004 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs147[zap.out] 7005 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree148[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide149[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites150[zap.out] 7011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts151[zap.out] 7011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension152[zap.out] 7011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension153[zap.out] 7011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension154[zap.out] 7012 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension155[zap.out] 7013 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension156[zap.out] 7014 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension157[zap.out] 7014 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension158[zap.out] 7016 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.159[zap.out] 7016 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration160[zap.out] 7024 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics161[zap.out] 7025 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats162[zap.out] 7026 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.163[zap.out] 7030 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files164[zap.out] 7030 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.165[zap.out] 7035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.166[zap.out] 7035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks167[zap.out] 7036 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta168[zap.out] 7036 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 169[zap.out] 7051 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage170[zap.out] 7052 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter171[zap.out] 7054 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.172[zap.out] 7054 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules173[zap.out] 7054 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules174[zap.out] 7055 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide175[zap.out] 7055 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses176[zap.out] 7058 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links177[zap.out] 7058 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage178[zap.out] 7058 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications179[zap.out] 7060 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled180[zap.out] 7060 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan181[zap.out] 7060 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP182[zap.out] 7060 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP183[zap.out] 7061 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display184[zap.out] 7190 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch185[zap.out] 7191 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta186[zap.out] 7449 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:43477187[zap.out] 7449 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate188[zap.out] 8601 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created189[zap.out] 8607 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:33209190[zap.out] 8608 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled191[zap.out] 9629 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session192[zap.out] 9665 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session193[zap.out] 9666 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db194[zap.out] 9681 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start195[zap.out] 9684 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end196[zap.out] 9690 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed197[zap.out] 9935 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start198[zap.out] 9942 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end199[zap.out] 13660 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan o2020-07-10 15:45:44,394 The following 4 URLs were scanned:204Total of 4 URLs205PASS: Script Passive Scan Rules [50001]206PASS: Stats Passive Scan Rule [50003]207PASS: Application Error Disclosure [90022]208PASS: Absence of Anti-CSRF Tokens [10202]209WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 1211PASS: Charset Mismatch [90011]212PASS: CSP Scanner [10055]213PASS: Content-Type Header Missing [10019]214PASS: Cookie No HttpOnly Flag [10010]215PASS: Loosely Scoped Cookie [90033]216PASS: Cookie Without SameSite Attribute [10054]217PASS: Cookie Without Secure Flag [10011]218PASS: Cross-Domain Misconfiguration [10098]219PASS: Cross-Domain JavaScript Source File Inclusion [10017]220PASS: Information Disclosure - Debug Error Messages [10023]221PASS: Information Disclosure - Sensitive Information in URL [10024]222PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]223PASS: Information Disclosure - Suspicious Comments [10027]224PASS: Weak Authentication Method [10105]225PASS: Insecure JSF ViewState [90001]226PASS: Secure Pages Include Mixed Content [10040]227PASS: Private IP Disclosure [2]228PASS: Session ID in URL Rewrite [3]229PASS: Timestamp Disclosure [10096]230PASS: Username Hash Found [10057]231PASS: Viewstate Scanner [10032]232PASS: X-AspNet-Version Response Header Scanner [10061]233WARN: X-Content-Type-Options Header Missing [10021] x 1235PASS: X-Debug-Token Information Leak [10056]236WARN: X-Frame-Options Header Scanner [10020] x 1238WARN: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 1240PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]241WARN: Content Security Policy (CSP) Header Not Set [10038] x 1243PASS: Directory Browsing [10033]244PASS: Hash Disclosure [10097]245PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]246PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]247PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]248PASS: Reverse Tabnabbing [10108]249PASS: PII Scanner [10062]250PASS: Retrieved from Cache [10050]251WARN: HTTP Server Response Header Scanner [10036] x 5257PASS: HTTP Parameter Override [10026]258PASS: Strict-Transport-Security Header Scanner [10035]259PASS: User Controllable Charset [10030]260PASS: Cookie Poisoning [10029]261PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]262PASS: User Controllable JavaScript Event (XSS) [10043]263PASS: Open Redirect [10028]264PASS: X-Backend-Server Header Information Leak [10039]265PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]266PASS: Path Traversal [6]267PASS: Remote File Inclusion [7]268PASS: Source Code Disclosure - /WEB-INF folder [10045]269PASS: Server Side Include [40009]270PASS: Cross Site Scripting (Reflected) [40012]271PASS: Cross Site Scripting (Persistent) [40014]272PASS: SQL Injection [40018]273PASS: Server Side Code Injection [90019]274PASS: Remote OS Command Injection [90020]275PASS: Directory Browsing [0]276PASS: External Redirect [20019]277PASS: Buffer Overflow [30001]278PASS: Format String Error [30002]279PASS: CRLF Injection [40003]280PASS: Parameter Tampering [40008]281PASS: Cross Site Scripting (Persistent) - Prime [40016]282PASS: Cross Site Scripting (Persistent) - Spider [40017]283PASS: Script Active Scan Rules [50000]284PASS: Source Code Disclosure - Git [41]285PASS: Source Code Disclosure - File Inclusion [43]286PASS: Remote Code Execution - Shell Shock [10048]287PASS: Httpoxy - Proxy Header Misuse [10107]288PASS: Anti CSRF Tokens Scanner [20012]289PASS: Heartbleed OpenSSL Vulnerability [20015]290PASS: Cross-Domain Misconfiguration [20016]291PASS: Source Code Disclosure - CVE-2012-1823 [20017]292PASS: Remote Code Execution - CVE-2012-1823 [20018]293PASS: Session Fixation [40013]294PASS: SQL Injection - MySQL [40019]295PASS: SQL Injection - Hypersonic SQL [40020]296PASS: SQL Injection - Oracle [40021]297PASS: SQL Injection - PostgreSQL [40022]298PASS: SQL Injection - SQLite [40024]299PASS: SQL Injection - MsSQL [40027]300PASS: XPath Injection [90021]301PASS: XML External Entity Attack [90023]302PASS: Generic Padding Oracle [90024]303PASS: Expression Language Injection [90025]304PASS: Source Code Disclosure - SVN [42]305PASS: Relative Path Confusion [10051]306PASS: Apache Range Header DoS (CVE-2011-3192) [10053]307PASS: Backup File Disclosure [10095]308PASS: User Agent Fuzzer [10104]309PASS: HTTP Only Site [10106]310PASS: Integer Overflow Error [30003]311PASS: Proxy Disclosure [40025]312PASS: ELMAH Information Leak [40028]313PASS: Trace.axd Information Leak [40029]314PASS: .htaccess Information Leak [40032]315PASS: Insecure HTTP Method [90028]316PASS: HTTPS Content Available via HTTP [10047]317PASS: GET for POST [10058]318PASS: HTTP Parameter Pollution scanner [20014]319PASS: Possible Username Enumeration [40023]320PASS: Cookie Slack Detector [90027]321SUMMARY - PASS: 100 | WARN: 6323Uploading artifacts...324gl-dast-report.json: found 1 matching files and directories 325Uploading artifacts as "dast" to coordinator... ok id=37557110 responseStatus=201 Created token=-2V5qJzx326Job succeeded