�[0KRunning with gitlab-runner 13.1.0 (6214287e)
�[0;m�[0K on docker-auto-scale fa6cab46
�[0;msection_start:1594623286:prepare_executor
�[0K�[0K�[36;1mPreparing the "docker+machine" executor�[0;m
�[0;m�[0KUsing Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
�[0;m�[0KPulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
�[0;m�[0KUsing docker image sha256:6405ae51158b2fb831dde206e54589e347aaea2cf2c4d5fc285a76f6ddf0fa1f for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
�[0;msection_end:1594623404:prepare_executor
�[0Ksection_start:1594623404:prepare_script
�[0K�[0K�[36;1mPreparing environment�[0;m
�[0;mRunning on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1594623286-90550dd1...
section_end:1594623408:prepare_script
�[0Ksection_start:1594623408:get_sources
�[0K�[0K�[36;1mGetting source from Git repository�[0;m
�[0;m�[32;1mSkipping Git repository setup�[0;m
�[32;1mSkipping Git checkout�[0;m
�[32;1mSkipping Git submodules setup�[0;m
section_end:1594623409:get_sources
�[0Ksection_start:1594623409:download_artifacts
�[0K�[0K�[36;1mDownloading artifacts�[0;m
�[0;m�[32;1mDownloading artifacts for dast_environment_deploy (37560066)...�[0;m
Downloading artifacts from coordinator... ok �[0;m id�[0;m=37560066 responseStatus�[0;m=200 OK token�[0;m=aK6vxQxD
section_end:1594623411:download_artifacts
�[0Ksection_start:1594623411:step_script
�[0K�[0K�[36;1mExecuting "step_script" stage of the job script�[0;m
�[0;m�[32;1m$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}�[0;m
�[32;1m$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi�[0;m
�[32;1m$ /analyze�[0;m
2020-07-13 06:56:53,222 using Python 3.8.2 (default, Apr 27 2020, 15:53:34) [GCC 9.3.0]
2020-07-13 06:56:53,223 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available
2020-07-13 06:56:53,223 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:56:56,412 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:56:59,491 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:02,568 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:05,644 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:08,722 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:11,798 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:14,876 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:17,953 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:21,032 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:24,111 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:27,188 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:30,262 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:33,338 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:36,415 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:39,488 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:42,568 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:45,644 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:48,722 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:51,800 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
2020-07-13 06:57:51,874 http://dast-4422333-dast-default.34.67.11.220.nip.io could not be reached, attempting scan anyway
2020-07-13 06:57:51,875 starting scan
2020-07-13 06:57:51,876 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-m', 1), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -silent')]
2020-07-13 06:57:51,876 Params: ['zap-x.sh', '-daemon', '-port', '46224', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-silent']
Jul 13, 2020 6:57:59 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
[zap.out] Found Java version 11.0.7
[zap.out] Available memory: 3693 MB
[zap.out] Using JVM args: -Xmx923m
[zap.out] 612 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-06-30 started 13/07/2020, 06:57:53 with home /home/zap/.ZAP_D/
[zap.out] 676 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
[zap.out] 682 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
[zap.out] 682 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
[zap.out] 682 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null
[zap.out] 685 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null
[zap.out] 706 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
[zap.out] 707 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
[zap.out] 903 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
[zap.out] 921 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
[zap.out] 2025 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
[zap.out] 2041 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
[zap.out] 2262 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
[zap.out] 5513 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=35.0.0], [id=ascanrulesBeta, version=28.0.0], [id=bruteforce, version=9.0.0], [id=commonlib, version=1.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=encoder, version=0.3.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=7.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=16.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=29.0.0], [id=pscanrulesBeta, version=22.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=retire, version=0.4.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=18.0.0], [id=webdrivermacos, version=17.0.0], [id=webdriverwindows, version=18.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]
[zap.out] 6454 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
[zap.out] 6786 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
[zap.out] 6796 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
[zap.out] 6796 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
[zap.out] 6796 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
[zap.out] 6809 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
[zap.out] 6809 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension
[zap.out] 6810 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
[zap.out] 6815 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
[zap.out] 6816 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
[zap.out] 6817 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
[zap.out] 6818 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
[zap.out] 7035 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
[zap.out] 7042 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
[zap.out] 7043 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
[zap.out] 7043 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
[zap.out] 7044 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
[zap.out] 7045 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
[zap.out] 7045 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
[zap.out] 7045 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
[zap.out] 7045 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
[zap.out] 7045 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
[zap.out] 7046 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
[zap.out] 7047 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
[zap.out] 7047 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
[zap.out] 7048 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
[zap.out] 7049 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
[zap.out] 7049 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
[zap.out] 7049 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
[zap.out] 7049 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
[zap.out] 7052 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
[zap.out] 7052 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
[zap.out] 7052 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner
[zap.out] 7053 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
[zap.out] 7072 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
[zap.out] 7074 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
[zap.out] 7085 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence
[zap.out] 7091 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
[zap.out] 7102 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
[zap.out] 7104 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
[zap.out] 7105 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner
[zap.out] 7105 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
[zap.out] 7105 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
[zap.out] 7106 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
[zap.out] 7106 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
[zap.out] 7111 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
[zap.out] 7133 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
[zap.out] 7135 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
[zap.out] 7136 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
[zap.out] 7136 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
[zap.out] 7139 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
[zap.out] 7140 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
[zap.out] 7189 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
[zap.out] 7584 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
[zap.out] 7586 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
[zap.out] 7590 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools
[zap.out] 8147 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
[zap.out] 8148 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
[zap.out] 8148 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
[zap.out] 8152 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration
[zap.out] 8152 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
[zap.out] 8160 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
[zap.out] 8161 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
[zap.out] 8164 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
[zap.out] 8203 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
[zap.out] 8203 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
[zap.out] 8203 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
[zap.out] 8204 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
[zap.out] 8207 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
[zap.out] 8221 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
[zap.out] 8221 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.
[zap.out] 8222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
[zap.out] 8222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
[zap.out] 8222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
[zap.out] 8222 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
[zap.out] 8224 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
[zap.out] 8225 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
[zap.out] 8226 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
[zap.out] 8227 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
[zap.out] 8227 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
[zap.out] 8228 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
[zap.out] 8230 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
[zap.out] 8230 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
[zap.out] 8231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
[zap.out] 8231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
[zap.out] 8235 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
[zap.out] 8242 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
[zap.out] 8243 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
[zap.out] 8247 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files
[zap.out] 8247 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
[zap.out] 8250 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
[zap.out] 8250 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
[zap.out] 8251 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
[zap.out] 8251 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
[zap.out] 8252 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
[zap.out] 8257 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
[zap.out] 8257 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
[zap.out] 8284 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
[zap.out] 8285 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
[zap.out] 8293 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
[zap.out] 8293 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
[zap.out] 8293 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
[zap.out] 8293 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
[zap.out] 8294 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
[zap.out] 8295 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled
[zap.out] 8295 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
[zap.out] 8295 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
[zap.out] 8295 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
[zap.out] 8296 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
[zap.out] 8417 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
[zap.out] 8418 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta
[zap.out] 8647 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:34609
[zap.out] 8648 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate
[zap.out] 11298 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created
[zap.out] 11300 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:46224
[zap.out] 11301 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled
[zap.out] 11963 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session
[zap.out] 12000 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session
[zap.out] 12001 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db
[zap.out] 12027 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
[zap.out] 12030 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
[zap.out]2020-07-13 06:58:13,702 The following 4 URLs were scanned:
GET http://dast-4422333-dast-default.34.67.11.220.nip.io
GET http://dast-4422333-dast-default.34.67.11.220.nip.io/
GET http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt
GET http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml
Total of 3 URLs
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Vulnerable JS Library [10003]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Content Security Policy (CSP) Header Not Set [10038]
PASS: Directory Browsing [10033]
PASS: Hash Disclosure [10097]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: PII Disclosure [10062]
PASS: Retrieved from Cache [10050]
WARN: HTTP Server Response Header Scanner [10036] x 4
http://dast-4422333-dast-default.34.67.11.220.nip.io/ (404)
http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt (404)
http://dast-4422333-dast-default.34.67.11.220.nip.io (404)
http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml (404)
PASS: HTTP Parameter Override [10026]
PASS: Strict-Transport-Security Header Scanner [10035]
PASS: User Controllable Charset [10030]
PASS: Cookie Poisoning [10029]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Open Redirect [10028]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Application Error Disclosure [90022]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Charset Mismatch [90011]
PASS: CSP Scanner [10055]
PASS: Content-Type Header Missing [10019]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Loosely Scoped Cookie [90033]
PASS: Cookie Without SameSite Attribute [10054]
PASS: Cookie Without Secure Flag [10011]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Weak Authentication Method [10105]
PASS: Insecure JSF ViewState [90001]
PASS: Secure Pages Include Mixed Content [10040]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Timestamp Disclosure [10096]
PASS: Username Hash Found [10057]
PASS: Viewstate Scanner [10032]
PASS: X-AspNet-Version Response Header Scanner [10061]
PASS: X-Content-Type-Options Header Missing [10021]
PASS: X-Debug-Token Information Leak [10056]
PASS: X-Frame-Options Header Scanner [10020]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: Path Traversal [6]
PASS: Remote File Inclusion [7]
PASS: Source Code Disclosure - /WEB-INF folder [10045]
PASS: External Redirect [20019]
PASS: Server Side Include [40009]
PASS: Cross Site Scripting (Reflected) [40012]
PASS: Cross Site Scripting (Persistent) [40014]
PASS: SQL Injection [40018]
PASS: Server Side Code Injection [90019]
PASS: Remote OS Command Injection [90020]
PASS: Directory Browsing [0]
PASS: Buffer Overflow [30001]
PASS: Format String Error [30002]
PASS: CRLF Injection [40003]
PASS: Parameter Tampering [40008]
PASS: Cross Site Scripting (Persistent) - Prime [40016]
PASS: Cross Site Scripting (Persistent) - Spider [40017]
PASS: Script Active Scan Rules [50000]
PASS: Source Code Disclosure - Git [41]
PASS: Source Code Disclosure - File Inclusion [43]
PASS: Remote Code Execution - Shell Shock [10048]
PASS: Httpoxy - Proxy Header Misuse [10107]
PASS: Anti CSRF Tokens Scanner [20012]
PASS: Heartbleed OpenSSL Vulnerability [20015]
PASS: Cross-Domain Misconfiguration [20016]
PASS: Source Code Disclosure - CVE-2012-1823 [20017]
PASS: Remote Code Execution - CVE-2012-1823 [20018]
PASS: Session Fixation [40013]
PASS: SQL Injection - MySQL [40019]
PASS: SQL Injection - Hypersonic SQL [40020]
PASS: SQL Injection - Oracle [40021]
PASS: SQL Injection - PostgreSQL [40022]
PASS: SQL Injection - SQLite [40024]
PASS: SQL Injection - MsSQL [40027]
PASS: XPath Injection [90021]
PASS: XML External Entity Attack [90023]
PASS: Generic Padding Oracle [90024]
PASS: Expression Language Injection [90025]
PASS: Source Code Disclosure - SVN [42]
PASS: Relative Path Confusion [10051]
PASS: Apache Range Header DoS (CVE-2011-3192) [10053]
PASS: Backup File Disclosure [10095]
PASS: HTTP Only Site [10106]
PASS: Integer Overflow Error [30003]
PASS: Proxy Disclosure [40025]
PASS: ELMAH Information Leak [40028]
PASS: Trace.axd Information Leak [40029]
PASS: .htaccess Information Leak [40032]
PASS: Insecure HTTP Method [90028]
PASS: HTTPS Content Available via HTTP [10047]
PASS: GET for POST [10058]
PASS: User Agent Fuzzer [10104]
PASS: HTTP Parameter Pollution scanner [20014]
PASS: Possible Username Enumeration [40023]
PASS: Cookie Slack Detector [90027]
SUMMARY - PASS: 107 | WARN: 1
cat: /tmp/.X1-lock: No such file or directory
/zap/zap-x.sh: 10: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
12035 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed
[zap.out] 12293 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
[zap.out] 12297 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
[zap.out] 14990 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: Target Context at Mon Jul 13 06:58:08 UTC 2020
[zap.out] 15000 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
[zap.out] 15045 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
[zap.out] 15220 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
[zap.out] 15226 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
section_end:1594623494:step_script
�[0Ksection_start:1594623494:upload_artifacts_on_success
�[0K�[0K�[36;1mUploading artifacts for successful job�[0;m
�[0;m�[32;1mUploading artifacts...�[0;m
gl-dast-report.json: found 1 matching files and directories�[0;m
Uploading artifacts as "dast" to coordinator... ok�[0;m id�[0;m=37560067 responseStatus�[0;m=201 Created token�[0;m=yTdRVzdZ
section_end:1594623497:upload_artifacts_on_success
�[0K�[32;1mJob succeeded
�[0;m