There was an error fetching the job.
dast
Passed Started
by
@mikolaj_wawrzyniak
Mikołaj Wawrzyniak
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 13.3.1 (738bbe5a)2 on docker-auto-scale 729897614Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...5Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...6Using docker image sha256:f225a5143148ad7a88911fa2bc248ea797eb88284e691954774baab65531c597 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...8Running on runner-72989761-project-4422333-concurrent-0 via runner-72989761-stg-srm-1598602825-2f9e79a3...10Skipping Git repository setup11Skipping Git checkout12Skipping Git submodules setup14Downloading artifacts for dast_environment_deploy (37682913)...15Downloading artifacts from coordinator... ok id=37682913 responseStatus=200 OK token=byuJLk7o17$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}18$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi19$ /analyze202020-08-28 08:22:25,236 using Python 3.8.2 (default, Apr 27 2020, 15:53:34) [GCC 9.3.0]212020-08-28 08:22:25,236 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available222020-08-28 08:22:25,237 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io232020-08-28 08:22:25,608 Starting the ZAP Server242020-08-28 08:22:25,609 Running ZAP with parameters ['zap-x.sh', '-daemon', '-port', '33774', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent']252020-08-28 08:22:25,611 looking for ZAP at 127.0.0.1:33774...262020-08-28 08:22:26,615 looking for ZAP at 127.0.0.1:33774...272020-08-28 08:22:27,618 looking for ZAP at 127.0.0.1:33774...282020-08-28 08:22:28,621 looking for ZAP at 127.0.0.1:33774...292020-08-28 08:22:29,624 looking for ZAP at 127.0.0.1:33774...302020-08-28 08:22:30,627 looking for ZAP at 127.0.0.1:33774...312020-08-28 08:22:31,630 looking for ZAP at 127.0.0.1:33774...322020-08-28 08:22:32,633 looking for ZAP at 127.0.0.1:33774...33[zap.out] Found Java version 11.0.734[zap.out] Available memory: 3693 MB35[zap.out] Using JVM args: -Xmx923m36[zap.out] 570 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2020-06-30 started 28/08/2020, 08:22:27 with home /home/zap/.ZAP_D/37[zap.out] 638 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null38[zap.out] 639 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null39[zap.out] 639 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null40[zap.out] 639 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null41[zap.out] 639 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was null42[zap.out] 660 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...43[zap.out] 660 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...44[zap.out] 846 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]45[zap.out] 864 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.46[zap.out] 1825 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions47[zap.out] 5306 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=35.0.0], [id=ascanrulesBeta, version=28.0.0], [id=bruteforce, version=9.0.0], [id=commonlib, version=1.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=encoder, version=0.3.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=7.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=16.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=29.0.0], [id=pscanrulesBeta, version=22.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=retire, version=0.4.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=18.0.0], [id=webdrivermacos, version=17.0.0], [id=webdriverwindows, version=18.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]48[zap.out] 6200 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded49[zap.out] Aug 28, 2020 8:22:32 AM java.util.prefs.FileSystemPreferences$1 run50[zap.out] INFO: Created user preferences directory.51[zap.out] 6513 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates52[zap.out] 6522 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension53[zap.out] 6523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension54[zap.out] 6523 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP55[zap.out] 6538 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension56[zap.out] 6539 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension57[zap.out] 6539 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension58[zap.out] 6540 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields59[zap.out] 6542 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions60[zap.out] 6543 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses61[zap.out] 6546 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner62[zap.out] 6738 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules63[zap.out] 6739 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule64[zap.out] 6743 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library65[zap.out] 6743 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)66[zap.out] 6744 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set67[zap.out] 6744 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing68[zap.out] 6744 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure69[zap.out] 6745 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)70[zap.out] 6745 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post71[zap.out] 6745 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post72[zap.out] 6745 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing73[zap.out] 6745 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application74[zap.out] 6745 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure75[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache76[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header Scanner77[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override78[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header Scanner79[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset80[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning81[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)82[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)83[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect84[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak85[zap.out] 6746 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak86[zap.out] 6747 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure87[zap.out] 6747 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens88[zap.out] 6747 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set89[zap.out] 6747 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch90[zap.out] 6747 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP Scanner91[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing92[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag93[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie94[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute95[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag96[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration97[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion98[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages99[zap.out] 6748 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL100[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header101[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments102[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method103[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState104[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content105[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure106[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite107[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure108[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found109[zap.out] 6749 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner110[zap.out] 6753 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header Scanner111[zap.out] 6753 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing112[zap.out] 6753 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak113[zap.out] 6753 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner114[zap.out] 6753 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered2020-08-28 08:22:33,636 looking for ZAP at 127.0.0.1:33774...115-By" HTTP Response Header Field(s)116[zap.out] 6774 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts117[zap.out] 6781 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added118[zap.out] 6788 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence119[zap.out] 6792 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site120[zap.out] 6804 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks121[zap.out] 6804 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool122[zap.out] 6804 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner123[zap.out] 6805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension124[zap.out] 6805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences125[zap.out] 6805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters126[zap.out] 6805 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens127[zap.out] 6813 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension128[zap.out] 6834 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]129[zap.out] 6836 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser130[zap.out] 6837 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only131[zap.out] 6837 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension132[zap.out] 6841 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies133[zap.out] 6843 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration134[zap.out] 6869 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages135[zap.out] 7078 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension136[zap.out] 7078 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions137[zap.out] 7082 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools138[zap.out] 7358 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff139[zap.out] 7361 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension140[zap.out] 7361 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.141[zap.out] 7362 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration142[zap.out] 7366 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension143[zap.out] 7372 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]144[zap.out] 7372 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension145[zap.out] 7376 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.146[zap.out] 7416 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree147[zap.out] 7419 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.148[zap.out] 7420 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension149[zap.out] 7420 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax150[zap.out] 7425 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.151[zap.out] 7435 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations152[zap.out] 7435 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.153[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs154[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree155[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide156[zap.out] 7436 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites157[zap.out] 7439 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts158[zap.out] 7439 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension159[zap.out] 7439 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension160[zap.out] 7439 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension161[zap.out] 7439 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension162[zap.out] 7440 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension163[zap.out] 7441 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension164[zap.out] 7441 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension165[zap.out] 7446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.166[zap.out] 7446 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration167[zap.out] 7449 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics168[zap.out] 7451 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats169[zap.out] 7452 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.170[zap.out] 7457 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files171[zap.out2020-08-28 08:22:34,639 looking for ZAP at 127.0.0.1:33774...1722020-08-28 08:22:35,642 looking for ZAP at 127.0.0.1:33774...1732020-08-28 08:22:36,645 looking for ZAP at 127.0.0.1:33774...1742020-08-28 08:22:37,648 looking for ZAP at 127.0.0.1:33774...1752020-08-28 08:22:37,744 connected to ZAP with version D-2020-06-301762020-08-28 08:22:37,744 starting scan1772020-08-28 08:22:37,745 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-m', 1), ('-P', '33774')]178] 7457 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.179[zap.out] 7459 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.180[zap.out] 7460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks181[zap.out] 7460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta182[zap.out] 7460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage183[zap.out] 7460 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter184[zap.out] 7462 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.185[zap.out] 7466 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 186[zap.out] 7492 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide187[zap.out] 7495 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses188[zap.out] 7499 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links189[zap.out] 7499 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage190[zap.out] 7500 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules191[zap.out] 7501 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules192[zap.out] 7501 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications193[zap.out] 7502 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart - Shh! No check-for-news - silent mode enabled194[zap.out] 7506 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan195[zap.out] 7506 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP196[zap.out] 7506 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP197[zap.out] 7506 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display198[zap.out] 7616 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch199[zap.out] 7616 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta200[zap.out] 7803 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:42187201[zap.out] 7803 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate202[zap.out] 10146 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created203[zap.out] 10148 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:33774204[zap.out] 10148 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled205[zap.out] 11928 [ZAP-ProxyThread-3] INFO org.parosproxy.paros.control.Control - New session file created: /home/zap/.ZAP_D/session/dast.session206[zap.out] 15565 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: Target Context at Fri Aug 28 08:22:42 UTC 2020207[zap.out] 15567 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...208[zap.out] 15608 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...209[zap.out] 15771 [ZAP-SpiderThreadPool-02020-08-28 08:22:47,656 connecting to ZAP database /home/zap/.ZAP_D/session/dast.session210Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent211INFO: dataFileCache open start212Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent213INFO: dataFileCache open end214Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent215INFO: checkpointClose start216Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent217INFO: checkpointClose synched218Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent219INFO: checkpointClose script done220Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent221INFO: dataFileCache commit start222Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent223INFO: dataFileCache commit end224Aug 28, 2020 8:22:49 AM org.hsqldb.persist.Logger logInfoEvent225INFO: checkpointClose end2262020-08-28 08:22:49,863 The following 4 URLs were scanned:231PASS: Script Passive Scan Rules [50001]232PASS: Stats Passive Scan Rule [50003]233PASS: Vulnerable JS Library [10003]234PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]235WARN: Content Security Policy (CSP) Header Not Set [10038] x 1237PASS: Directory Browsing [10033]238PASS: Hash Disclosure [10097]239PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]240PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]241PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]242PASS: Reverse Tabnabbing [10108]243PASS: Modern Web Application [10109]244PASS: PII Disclosure [10062]245PASS: Retrieved from Cache [10050]246WARN: HTTP Server Response Header Scanner [10036] x 5252PASS: HTTP Parameter Override [10026]253PASS: Strict-Transport-Security Header Scanner [10035]254PASS: User Controllable Charset [10030]255PASS: Cookie Poisoning [10029]256PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]257PASS: User Controllable JavaScript Event (XSS) [10043]258PASS: Open Redirect [10028]259PASS: X-Backend-Server Header Information Leak [10039]260PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]261PASS: Application Error Disclosure [90022]262PASS: Absence of Anti-CSRF Tokens [10202]263WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 1265PASS: Charset Mismatch [90011]266PASS: CSP Scanner [10055]267PASS: Content-Type Header Missing [10019]268PASS: Cookie No HttpOnly Flag [10010]269PASS: Loosely Scoped Cookie [90033]270PASS: Cookie Without SameSite Attribute [10054]271PASS: Cookie Without Secure Flag [10011]272PASS: Cross-Domain Misconfiguration [10098]273PASS: Cross-Domain JavaScript Source File Inclusion [10017]274PASS: Information Disclosure - Debug Error Messages [10023]275PASS: Information Disclosure - Sensitive Information in URL [10024]276PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]277PASS: Information Disclosure - Suspicious Comments [10027]278PASS: Weak Authentication Method [10105]279PASS: Insecure JSF ViewState [90001]280PASS: Secure Pages Include Mixed Content [10040]281PASS: Private IP Disclosure [2]282PASS: Session ID in URL Rewrite [3]283PASS: Timestamp Disclosure [10096]284PASS: Username Hash Found [10057]285PASS: Viewstate Scanner [10032]286PASS: X-AspNet-Version Response Header Scanner [10061]287WARN: X-Content-Type-Options Header Missing [10021] x 1289PASS: X-Debug-Token Information Leak [10056]290WARN: X-Frame-Options Header Scanner [10020] x 1292WARN: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 1294PASS: Path Traversal [6]295PASS: Remote File Inclusion [7]296PASS: Source Code Disclosure - /WEB-INF folder [10045]297PASS: External Redirect [20019]298PASS: Server Side Include [40009]299PASS: Cross Site Scripting (Reflected) [40012]300PASS: Cross Site Scripting (Persistent) [40014]301PASS: SQL Injection [40018]302PASS: Server Side Code Injection [90019]303PASS: Remote OS Command Injection [90020]304PASS: Directory Browsing [0]305PASS: Buffer Overflow [30001]306PASS: Format String Error [30002]307PASS: CRLF Injection [40003]308PASS: Parameter Tampering [40008]309PASS: Cross Site Scripting (Persistent) - Prime [40016]310PASS: Cross Site Scripting (Persistent) - Spider [40017]311PASS: Script Active Scan Rules [50000]312PASS: Source Code Disclosure - Git [41]313PASS: Source Code Disclosure - File Inclusion [43]314PASS: Remote Code Execution - Shell Shock [10048]315PASS: Httpoxy - Proxy Header Misuse [10107]316PASS: Anti CSRF Tokens Scanner [20012]317PASS: Heartbleed OpenSSL Vulnerability [20015]318PASS: Cross-Domain Misconfiguration [20016]319PASS: Source Code Disclosure - CVE-2012-1823 [20017]320PASS: Remote Code Execution - CVE-2012-1823 [20018]321PASS: Session Fixation [40013]322PASS: SQL Injection - MySQL [40019]323PASS: SQL Injection - Hypersonic SQL [40020]324PASS: SQL Injection - Oracle [40021]325PASS: SQL Injection - PostgreSQL [40022]326PASS: SQL Injection - SQLite [40024]327PASS: SQL Injection - MsSQL [40027]328PASS: XPath Injection [90021]329PASS: XML External Entity Attack [90023]330PASS: Generic Padding Oracle [90024]331PASS: Expression Language Injection [90025]332PASS: Source Code Disclosure - SVN [42]333PASS: Relative Path Confusion [10051]334PASS: Apache Range Header DoS (CVE-2011-3192) [10053]335PASS: Backup File Disclosure [10095]336PASS: HTTP Only Site [10106]337PASS: Integer Overflow Error [30003]338PASS: Proxy Disclosure [40025]339PASS: ELMAH Information Leak [40028]340PASS: Trace.axd Information Leak [40029]341PASS: .htaccess Information Leak [40032]342PASS: Insecure HTTP Method [90028]343PASS: HTTPS Content Available via HTTP [10047]344PASS: GET for POST [10058]345PASS: User Agent Fuzzer [10104]346PASS: HTTP Parameter Pollution scanner [20014]347PASS: Possible Username Enumeration [40023]348PASS: Cookie Slack Detector [90027]349SUMMARY - PASS: 102 | WARN: 6351Uploading artifacts...352gl-dast-report.json: found 1 matching files and directories 353Uploading artifacts as "dast" to coordinator... ok id=37682914 responseStatus=201 Created token=foZEqtbU354Job succeeded