dast
Passed Started
by
@mrincon
Miguel Rincon
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 13.1.0 (6214287e)2 on docker-auto-scale 729897614Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...6Using docker image sha256:6405ae51158b2fb831dde206e54589e347aaea2cf2c4d5fc285a76f6ddf0fa1f for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...8Running on runner-72989761-project-4422333-concurrent-0 via runner-72989761-stg-srm-1594623356-678a6b3a...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup14Downloading artifacts for dast_environment_deploy (37560089)...15Downloading artifacts from coordinator... ok id=37560089 responseStatus=200 OK token=ScTSUVtS17$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}18$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi19$ /analyze202020-07-13 06:58:01,277 using Python 3.8.2 (default, Apr 27 2020, 15:53:34) [GCC 9.3.0]212020-07-13 06:58:01,278 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available222020-07-13 06:58:01,278 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io232020-07-13 06:58:04,510 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io242020-07-13 06:58:07,585 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io252020-07-13 06:58:10,661 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io262020-07-13 06:58:13,737 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io272020-07-13 06:58:16,813 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io282020-07-13 06:58:19,889 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io292020-07-13 06:58:22,966 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io302020-07-13 06:58:26,043 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io312020-07-13 06:58:29,120 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io322020-07-13 06:58:32,195 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io332020-07-13 06:58:35,273 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io342020-07-13 06:58:38,351 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io352020-07-13 06:58:41,427 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io362020-07-13 06:58:44,504 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io372020-07-13 06:58:47,580 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io382020-07-13 06:58:50,656 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io392020-07-13 06:58:53,732 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io402020-07-13 06:58:56,810 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io412020-07-13 06:58:59,887 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io422020-07-13 06:58:59,961 http://dast-4422333-dast-default.34.67.11.220.nip.io could not be reached, attempting scan anyway432020-07-13 06:58:59,962 starting scan442020-07-13 06:58:59,963 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-m', 1), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -silent')]452020-07-13 06:58:59,964 Params: ['zap-x.sh', '-daemon', '-port', '45227', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-silent']46Jul 13, 2020 6:59:08 AM java.util.prefs.FileSystemPreferences$1 run47INFO: Created user preferences directory.48[zap.out] Found Java version 11.0.749[zap.out] Available memory: 3693 MB50[zap.out] Using JVM args: -Xmx923m51[zap.out] 580 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-06-30 started 13/07/2020, 06:59:01 with home /home/zap/.ZAP_D/52[zap.out] 649 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null53[zap.out] 650 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null54[zap.out] 651 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null55[zap.out] 651 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null56[zap.out] 651 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null57[zap.out] 679 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...58[zap.out] 679 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...59[zap.out] 860 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]60[zap.out] 880 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.61[zap.out] 2045 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start62[zap.out] 2055 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end63[zap.out] 2184 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions64[zap.out] 5438 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=35.0.0], [id=ascanrulesBeta, version=28.0.0], [id=bruteforce, version=9.0.0], [id=commonlib, version=1.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=encoder, version=0.3.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=7.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=16.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=29.0.0], [id=pscanrulesBeta, version=22.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=retire, version=0.4.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=18.0.0], [id=webdrivermacos, version=17.0.0], [id=webdriverwindows, version=18.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]65[zap.out] 6831 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded66[zap.out] 7272 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates67[zap.out] 7283 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension68[zap.out] 7285 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension69[zap.out] 7286 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP70[zap.out] 7311 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension71[zap.out] 7312 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension72[zap.out] 7313 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension73[zap.out] 7316 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields74[zap.out] 7319 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions75[zap.out] 7322 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses76[zap.out] 7324 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner77[zap.out] 7677 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules78[zap.out] 7678 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule79[zap.out] 7679 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library80[zap.out] 7679 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)81[zap.out] 7680 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set82[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing83[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure84[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)85[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post86[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post87[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing88[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application89[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure90[zap.out] 7681 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache91[zap.out] 7682 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner92[zap.out] 7683 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override93[zap.out] 7683 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner94[zap.out] 7683 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset95[zap.out] 7683 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning96[zap.out] 7683 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)97[zap.out] 7683 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)98[zap.out] 7684 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect99[zap.out] 7684 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak100[zap.out] 7684 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak101[zap.out] 7684 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure102[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens103[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set104[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch105[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner106[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing107[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag108[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie109[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute110[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag111[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration112[zap.out] 7685 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion113[zap.out] 7690 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages114[zap.out] 7690 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL115[zap.out] 7690 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header116[zap.out] 7690 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments117[zap.out] 7690 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method118[zap.out] 7691 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState119[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content120[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure121[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite122[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure123[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found124[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner125[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner126[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing127[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak128[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner129[zap.out] 7692 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)130[zap.out] 7705 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts131[zap.out] 7713 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added132[zap.out] 7725 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence133[zap.out] 7729 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site134[zap.out] 7743 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks135[zap.out] 7745 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool136[zap.out] 7746 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner137[zap.out] 7746 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension138[zap.out] 7751 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences139[zap.out] 7751 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters140[zap.out] 7752 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens141[zap.out] 7760 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension142[zap.out] 7789 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]143[zap.out] 7790 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser144[zap.out] 7793 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only145[zap.out] 7793 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension146[zap.out] 7795 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies147[zap.out] 7798 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration148[zap.out] 7827 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages149[zap.out] 8069 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension150[zap.out] 8069 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions151[zap.out] 8075 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools152[zap.out] 8392 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff153[zap.out] 8392 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension154[zap.out] 8392 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.155[zap.out] 8393 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration156[zap.out] 8394 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension157[zap.out] 8404 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]158[zap.out] 8405 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension159[zap.out] 8408 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.160[zap.out] 8445 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree161[zap.out] 8446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.162[zap.out] 8446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension163[zap.out] 8447 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax164[zap.out] 8451 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.165[zap.out] 8459 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations166[zap.out] 8460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.167[zap.out] 8460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs168[zap.out] 8460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree169[zap.out] 8460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide170[zap.out] 8461 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites171[zap.out] 8462 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts172[zap.out] 8462 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension173[zap.out] 8462 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension174[zap.out] 8463 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension175[zap.out] 8464 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension176[zap.out] 8464 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension177[zap.out] 8467 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension178[zap.out] 8467 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension179[zap.out] 8468 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.180[zap.out] 8468 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration181[zap.out] 8470 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics182[zap.out] 8475 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats183[zap.out] 8476 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.184[zap.out] 8477 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files185[zap.out] 8478 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.186[zap.out] 8480 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.187[zap.out] 8481 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks188[zap.out] 8481 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta189[zap.out] 8481 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage190[zap.out] 8481 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter191[zap.out] 8482 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.192[zap.out] 8482 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 193[zap.out] 8508 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide194[zap.out] 8509 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses195[zap.out] 8516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links196[zap.out] 8516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage197[zap.out] 8516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules198[zap.out] 8516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules199[zap.out] 8517 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications200[zap.out] 8518 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled201[zap.out] 8518 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan202[zap.out] 8519 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP203[zap.out] 8519 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP204[zap.out] 8520 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display205[zap.out] 8639 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch206[zap.out] 8639 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta207[zap.out] 8881 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:33445208[zap.out] 8881 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate209[zap.out] 10976 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created210[zap.out] 10978 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:45227211[zap.out] 10978 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled212[zap.out] 11884 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Discard Session213[zap.out] 11933 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - New Session214[zap.out] 11934 [ZAP-ProxyThread-2] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db215[zap.out] 11959 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start216[zap.out] 11962 [ZAP-ProxyThread-2] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end217[zap.out]2020-07-13 06:59:21,927 The following 4 URLs were scanned:222Total of 3 URLs223PASS: Script Passive Scan Rules [50001]224PASS: Stats Passive Scan Rule [50003]225PASS: Vulnerable JS Library [10003]226PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]227PASS: Content Security Policy (CSP) Header Not Set [10038]228PASS: Directory Browsing [10033]229PASS: Hash Disclosure [10097]230PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]231PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]232PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]233PASS: Reverse Tabnabbing [10108]234PASS: Modern Web Application [10109]235PASS: PII Disclosure [10062]236PASS: Retrieved from Cache [10050]237WARN: HTTP Server Response Header Scanner [10036] x 4242PASS: HTTP Parameter Override [10026]243PASS: Strict-Transport-Security Header Scanner [10035]244PASS: User Controllable Charset [10030]245PASS: Cookie Poisoning [10029]246PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]247PASS: User Controllable JavaScript Event (XSS) [10043]248PASS: Open Redirect [10028]249PASS: X-Backend-Server Header Information Leak [10039]250PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]251PASS: Application Error Disclosure [90022]252PASS: Absence of Anti-CSRF Tokens [10202]253PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]254PASS: Charset Mismatch [90011]255PASS: CSP Scanner [10055]256PASS: Content-Type Header Missing [10019]257PASS: Cookie No HttpOnly Flag [10010]258PASS: Loosely Scoped Cookie [90033]259PASS: Cookie Without SameSite Attribute [10054]260PASS: Cookie Without Secure Flag [10011]261PASS: Cross-Domain Misconfiguration [10098]262PASS: Cross-Domain JavaScript Source File Inclusion [10017]263PASS: Information Disclosure - Debug Error Messages [10023]264PASS: Information Disclosure - Sensitive Information in URL [10024]265PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]266PASS: Information Disclosure - Suspicious Comments [10027]267PASS: Weak Authentication Method [10105]268PASS: Insecure JSF ViewState [90001]269PASS: Secure Pages Include Mixed Content [10040]270PASS: Private IP Disclosure [2]271PASS: Session ID in URL Rewrite [3]272PASS: Timestamp Disclosure [10096]273PASS: Username Hash Found [10057]274PASS: Viewstate Scanner [10032]275PASS: X-AspNet-Version Response Header Scanner [10061]276PASS: X-Content-Type-Options Header Missing [10021]277PASS: X-Debug-Token Information Leak [10056]278PASS: X-Frame-Options Header Scanner [10020]279PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]280PASS: Path Traversal [6]281PASS: Remote File Inclusion [7]282PASS: Source Code Disclosure - /WEB-INF folder [10045]283PASS: External Redirect [20019]284PASS: Server Side Include [40009]285PASS: Cross Site Scripting (Reflected) [40012]286PASS: Cross Site Scripting (Persistent) [40014]287PASS: SQL Injection [40018]288PASS: Server Side Code Injection [90019]289PASS: Remote OS Command Injection [90020]290PASS: Directory Browsing [0]291PASS: Buffer Overflow [30001]292PASS: Format String Error [30002]293PASS: CRLF Injection [40003]294PASS: Parameter Tampering [40008]295PASS: Cross Site Scripting (Persistent) - Prime [40016]296PASS: Cross Site Scripting (Persistent) - Spider [40017]297PASS: Script Active Scan Rules [50000]298PASS: Source Code Disclosure - Git [41]299PASS: Source Code Disclosure - File Inclusion [43]300PASS: Remote Code Execution - Shell Shock [10048]301PASS: Httpoxy - Proxy Header Misuse [10107]302PASS: Anti CSRF Tokens Scanner [20012]303PASS: Heartbleed OpenSSL Vulnerability [20015]304PASS: Cross-Domain Misconfiguration [20016]305PASS: Source Code Disclosure - CVE-2012-1823 [20017]306PASS: Remote Code Execution - CVE-2012-1823 [20018]307PASS: Session Fixation [40013]308PASS: SQL Injection - MySQL [40019]309PASS: SQL Injection - Hypersonic SQL [40020]310PASS: SQL Injection - Oracle [40021]311PASS: SQL Injection - PostgreSQL [40022]312PASS: SQL Injection - SQLite [40024]313PASS: SQL Injection - MsSQL [40027]314PASS: XPath Injection [90021]315PASS: XML External Entity Attack [90023]316PASS: Generic Padding Oracle [90024]317PASS: Expression Language Injection [90025]318PASS: Source Code Disclosure - SVN [42]319PASS: Relative Path Confusion [10051]320PASS: Apache Range Header DoS (CVE-2011-3192) [10053]321PASS: Backup File Disclosure [10095]322PASS: HTTP Only Site [10106]323PASS: Integer Overflow Error [30003]324PASS: Proxy Disclosure [40025]325PASS: ELMAH Information Leak [40028]326PASS: Trace.axd Information Leak [40029]327PASS: .htaccess Information Leak [40032]328PASS: Insecure HTTP Method [90028]329PASS: HTTPS Content Available via HTTP [10047]330PASS: GET for POST [10058]331PASS: User Agent Fuzzer [10104]332PASS: HTTP Parameter Pollution scanner [20014]333PASS: Possible Username Enumeration [40023]334PASS: Cookie Slack Detector [90027]335SUMMARY - PASS: 107 | WARN: 1337Uploading artifacts...338gl-dast-report.json: found 1 matching files and directories 339Uploading artifacts as "dast" to coordinator... ok id=37560090 responseStatus=201 Created token=zhfqosN_340Job succeeded