There was an error fetching the job.
dast

Passed Started 4 years ago by
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 13.3.1 (738bbe5a)
2  on docker-auto-scale fa6cab46
 3  Preparing the "docker+machine" executor  
  01:45
4Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
5Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
6Using docker image sha256:f225a5143148ad7a88911fa2bc248ea797eb88284e691954774baab65531c597 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
 7  Preparing environment  
  00:05
8Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1598602841-ad3cc95f...
 9  Getting source from Git repository  
  00:00
10Skipping Git repository setup
11Skipping Git checkout
12Skipping Git submodules setup
 13  Downloading artifacts  
  00:02
14Downloading artifacts for dast_environment_deploy (37682932)...
15Downloading artifacts from coordinator... ok        id=37682932 responseStatus=200 OK token=CZysRgnc
 16  Executing "step_script" stage of the job script  
  00:26
17$ export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}
18$ if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi
19$ /analyze
202020-08-28 08:22:35,174 using Python 3.8.2 (default, Apr 27 2020, 15:53:34) [GCC 9.3.0]
212020-08-28 08:22:35,175 waiting for http://dast-4422333-dast-default.34.67.11.220.nip.io to be available
222020-08-28 08:22:35,175 requesting access to http://dast-4422333-dast-default.34.67.11.220.nip.io
232020-08-28 08:22:35,549 Starting the ZAP Server
242020-08-28 08:22:35,549 Running ZAP with parameters ['zap-x.sh', '-daemon', '-port', '39480', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent']
252020-08-28 08:22:35,552 looking for ZAP at 127.0.0.1:39480...
262020-08-28 08:22:36,554 looking for ZAP at 127.0.0.1:39480...
272020-08-28 08:22:37,557 looking for ZAP at 127.0.0.1:39480...
282020-08-28 08:22:38,560 looking for ZAP at 127.0.0.1:39480...
292020-08-28 08:22:39,563 looking for ZAP at 127.0.0.1:39480...
302020-08-28 08:22:40,566 looking for ZAP at 127.0.0.1:39480...
312020-08-28 08:22:41,570 looking for ZAP at 127.0.0.1:39480...
322020-08-28 08:22:42,572 looking for ZAP at 127.0.0.1:39480...
33[zap.out] Found Java version 11.0.7
34[zap.out] Available memory: 3693 MB
35[zap.out] Using JVM args: -Xmx923m
36[zap.out] 553 [main] INFO org.zaproxy.zap.DaemonBootstrap  - OWASP ZAP D-2020-06-30 started 28/08/2020, 08:22:37 with home /home/zap/.ZAP_D/
37[zap.out] 618 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.disablekey = true was null
38[zap.out] 621 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.addrs.addr.name = .* was null
39[zap.out] 625 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.addrs.addr.regex = true was null
40[zap.out] 626 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config selenium.firefoxDriver = /usr/bin/geckodriver was null
41[zap.out] 626 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config spider.maxDuration = 1 was null
42[zap.out] 641 [main] INFO org.parosproxy.paros.network.SSLConnector  - Reading supported SSL/TLS protocols...
43[zap.out] 642 [main] INFO org.parosproxy.paros.network.SSLConnector  - Using a SSLEngine...
44[zap.out] 804 [main] INFO org.parosproxy.paros.network.SSLConnector  - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
45[zap.out] 818 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate  - Unsafe SSL renegotiation disabled.
46[zap.out] 1727 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Loading extensions
47[zap.out] 4990 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Installed add-ons: [[id=accessControl, version=6.0.0], [id=alertFilters, version=10.0.0], [id=ascanrules, version=35.0.0], [id=ascanrulesBeta, version=28.0.0], [id=bruteforce, version=9.0.0], [id=commonlib, version=1.0.0], [id=coreLang, version=14.0.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=encoder, version=0.3.0], [id=formhandler, version=3.0.0], [id=fuzz, version=12.0.0], [id=fuzzdb, version=7.0.0], [id=gettingStarted, version=11.0.0], [id=help, version=10.0.0], [id=hud, version=0.10.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=7.0.0], [id=openapi, version=16.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=29.0.0], [id=pscanrulesBeta, version=22.0.0], [id=quickstart, version=28.0.0], [id=replacer, version=8.0.0], [id=retire, version=0.4.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=26.0.0], [id=selenium, version=15.2.0], [id=sequence, version=6.0.0], [id=spiderAjax, version=23.1.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=18.0.0], [id=webdrivermacos, version=17.0.0], [id=webdriverwindows, version=18.0.0], [id=websocket, version=21.0.0], [id=zest, version=32.0.0]]
48[zap.out] 5764 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Extensions loaded
49[zap.out] Aug 28, 2020 8:22:42 AM java.util.prefs.FileSystemPreferences$1 run
50[zap.out] INFO: Created user preferences directory.
51[zap.out] 6065 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows ZAP to check for updates
52[zap.out] 6072 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Options Extension
53[zap.out] 6072 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Edit Menu Extension
54[zap.out] 6072 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides a rest based API for controlling and accessing ZAP
55[zap.out] 6082 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Session State Extension
56[zap.out] 6083 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Report Extension
57[zap.out] 6083 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing History Extension
58[zap.out] 6084 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Show hidden fields and enable disabled fields
59[zap.out] 6129 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Search messages for strings and regular expressions
60[zap.out] 6130 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to intercept and modify requests and responses
61[zap.out] 6131 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive scanner
62[zap.out] 6287 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Script Passive Scan Rules
63[zap.out] 6287 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Stats Passive Scan Rule
64[zap.out] 6287 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Vulnerable JS Library
65[zap.out] 6288 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
66[zap.out] 6288 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
67[zap.out] 6289 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Directory Browsing
68[zap.out] 6289 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Hash Disclosure
69[zap.out] 6289 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
70[zap.out] 6290 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
71[zap.out] 6290 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
72[zap.out] 6290 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Reverse Tabnabbing
73[zap.out] 6290 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Modern Web Application
74[zap.out] 6293 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: PII Disclosure
75[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Retrieved from Cache
76[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP Server Response Header Scanner
77[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP Parameter Override
78[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Strict-Transport-Security Header Scanner
79[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: User Controllable Charset
80[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Poisoning
81[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
82[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: User Controllable JavaScript Event (XSS)
83[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Open Redirect
84[zap.out] 6294 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Backend-Server Header Information Leak
85[zap.out] 6295 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
86[zap.out] 6295 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Application Error Disclosure
87[zap.out] 6295 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Absence of Anti-CSRF Tokens
88[zap.out] 6295 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
89[zap.out] 6295 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Charset Mismatch
90[zap.out] 6296 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: CSP Scanner
91[zap.out] 6296 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Content-Type Header Missing
92[zap.out] 6296 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie No HttpOnly Flag
93[zap.out] 6296 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Loosely Scoped Cookie
94[zap.out] 6296 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without SameSite Attribute
95[zap.out] 6297 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without Secure Flag
96[zap.out] 6297 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain Misconfiguration
97[zap.out] 6297 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
98[zap.out] 6297 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Debug Error Messages
99[zap.out] 6297 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
100[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
101[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Suspicious Comments
102[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Weak Authentication Method
103[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Insecure JSF ViewState
104[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Secure Pages Include Mixed Content
105[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Private IP Disclosure
106[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Session ID in URL Rewrite
107[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Timestamp Disclosure
108[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Username Hash Found
109[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Viewstate Scanner
110[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-AspNet-Version Response Header Scanner
111[zap.out] 6298 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Content-Type-Options Header Missing
112[zap.out] 6299 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Debug-Token Information Leak
113[zap.out] 6299 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Frame-Options Header Scanner
114[zap.out] 6299 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
115[zap.out] 6321 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to view and manage alerts
116[zap.out] 6329 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
117[zap.out] 6340 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSequence
118[zap.out] 6340 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Spider used for automatically finding URIs on a site
119[zap.out] 6351 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing A set of common popup menus for miscellaneous tasks
120[zap.out] 6352 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
121[zap.out] 6352 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Simple but effective port scanner
122[zap.out] 6354 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Manual Request Editor Extension
123[zap.out] 6354 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Compares 2 sessions and generates an HTML file showing the differences
124[zap.out] 6355 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Invoke external applications passing context related information such as URLs and parameters
125[zap.out] 6355 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Handles anti cross site request forgery (CSRF) tokens
126[zap.out] 6363 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Authentication Extension
127[zap.out] 6384 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication  - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
128[zap.out] 6389 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
129[zap.out] 6390 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Logs errors to the Output tab in development mode only
130[zap.out] 6390 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Users Extension
131[zap.out] 6393 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Summarise and analyse FORM and URL parameters as well as cookies
132[zap.out] 6395 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Script integration
133[zap.out] 6426 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Scripting console, supports all JSR 223 scripting languages
134[zap.out] 6639 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Forced User Extension
135[zap.out] 6643 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Extension handling HTTP sessions
136[zap.out] 6644 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools
137[zap.out] 6941 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionDiff
138[zap.out] 6941 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Post Table View Extension
139[zap.out] 6942 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds support for scriptable encoders to ZAP.
140[zap.out] 6942 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Simple browser configuration
141[zap.out] 6942 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Session Management Extension
142[zap.out] 6953 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement  - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
143[zap.out] 6954 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Form Table View Extension
144[zap.out] 6954 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Capture messages from WebSockets with the ability to set breakpoints.
145[zap.out] 6989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
146[zap.out] 6989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Core UI related functionality.
147[zap.out] 6990 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Authorization Extension
148[zap.out] 6990 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing AJAX Spider, uses Crawljax
149[zap.out] 6992 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
150[zap.out] 7002 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Manages the local proxy configurations
151[zap.out] 7002 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Add-on that adds a set of tools for testing access control in web applications.
152[zap.out] 7007 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Handles adding Global Excluded URLs
153[zap.out] 7007 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds menu item to refresh the Sites tree
154[zap.out] 7007 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing OWASP ZAP User Guide
155[zap.out] 7007 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides a URL suitable for calling from target sites
156[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to configure which extensions are loaded when ZAP starts
157[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Combined HTTP Panels Extension
158[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Hex View Extension
159[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Image View Extension
160[zap.out] 7009 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Large Request View Extension
161[zap.out] 7010 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Large Response View Extension
162[zap.out] 7011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Query Table View Extension
163[zap.out] 7011 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Syntax Highlighter View Extension
164[zap.out] 7013 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
165[zap.out] 7013 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active and passive rule configuration
166[zap.out] 7020 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Statistics
167[zap.out] 7021 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats  - Start recording in memory stats
168[zap.out] 7022 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing This extension allows a user to change the default values used by ZAP Spiders.
169[zap.out] 7023 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Translations of the core language files
170[zap.out2020-08-28 08:22:43,575 looking for ZAP at 127.0.0.1:39480...
1712020-08-28 08:22:44,578 looking for ZAP at 127.0.0.1:39480...
1722020-08-28 08:22:45,581 looking for ZAP at 127.0.0.1:39480...
1732020-08-28 08:22:46,585 looking for ZAP at 127.0.0.1:39480...
1742020-08-28 08:22:46,675 connected to ZAP with version D-2020-06-30
1752020-08-28 08:22:46,675 starting scan
1762020-08-28 08:22:46,676 Script params: [('-t', 'http://dast-4422333-dast-default.34.67.11.220.nip.io'), ('-m', 1), ('-P', '39480')]
177] 7025 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
178[zap.out] 7027 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows to fuzz HTTP messages.
179[zap.out] 7028 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Tips and Tricks
180[zap.out] 7028 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive Scan Rules - beta
181[zap.out] 7028 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSaveRawHttpMessage
182[zap.out] 7028 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Context alert rules filter
183[zap.out] 7032 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows to fuzz WebSocket messages.
184[zap.out] 7032 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 
185[zap.out] 7062 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing The ZAP Getting Started Guide
186[zap.out] 7062 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Easy way to replace strings in requests and responses
187[zap.out] 7065 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing The Online menu links
188[zap.out] 7069 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSaveXMLHttpMessage
189[zap.out] 7070 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive Scan Rules
190[zap.out] 7070 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active Scan Rules
191[zap.out] 7070 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds the Quick Start panel for scanning and exploring applications
192[zap.out] 7071 [ZAP-daemon] INFO org.zaproxy.zap.extension.quickstart.ExtensionQuickStart  - Shh! No check-for-news - silent mode enabled
193[zap.out] 7071 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Add the option to use the Ajax Spider in the Quick Start scan
194[zap.out] 7071 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Launch browsers proxying through ZAP
195[zap.out] 7071 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Launch browsers proxying through ZAP
196[zap.out] 7072 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Heads Up Display
197[zap.out] 7183 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionHUDlaunch
198[zap.out] 7183 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active Scan Rules - beta
199[zap.out] 7375 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback  - Started callback server on 0.0.0.0:45725
200[zap.out] 7375 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL  - Creating new root CA certificate
201[zap.out] 9282 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL  - New root CA certificate created
202[zap.out] 9284 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 0.0.0.0:39480
203[zap.out] 9284 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate  - Shh! No check-for-update - silent mode enabled
204[zap.out] 10982 [ZAP-ProxyThread-3] INFO org.parosproxy.paros.control.Control  - New session file created: /home/zap/.ZAP_D/session/dast.session
205[zap.out] 14136 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on Context: Target Context at Fri Aug 28 08:22:50 UTC 2020
206[zap.out] 14138 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...
207[zap.out] 14169 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
208[zap.out] 14334 [ZAP-SpiderThreadPool-0-th2020-08-28 08:22:56,293 connecting to ZAP database /home/zap/.ZAP_D/session/dast.session
209Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
210INFO: dataFileCache open start
211Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
212INFO: dataFileCache open end
213Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
214INFO: checkpointClose start
215Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
216INFO: checkpointClose synched
217Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
218INFO: checkpointClose script done
219Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
220INFO: dataFileCache commit start
221Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
222INFO: dataFileCache commit end
223Aug 28, 2020 8:22:57 AM org.hsqldb.persist.Logger logInfoEvent
224INFO: checkpointClose end
2252020-08-28 08:22:58,268 The following 4 URLs were scanned:
226GET http://dast-4422333-dast-default.34.67.11.220.nip.io
227GET http://dast-4422333-dast-default.34.67.11.220.nip.io/
228GET http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt
229GET http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml
230PASS: Script Passive Scan Rules [50001]
231PASS: Stats Passive Scan Rule [50003]
232PASS: Vulnerable JS Library [10003]
233PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
234WARN: Content Security Policy (CSP) Header Not Set [10038] x 1
235	https://dast-4422333-dast-default.34.67.11.220.nip.io/ (200)
236PASS: Directory Browsing [10033]
237PASS: Hash Disclosure [10097]
238PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
239PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
240PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
241PASS: Reverse Tabnabbing [10108]
242PASS: Modern Web Application [10109]
243PASS: PII Disclosure [10062]
244PASS: Retrieved from Cache [10050]
245WARN: HTTP Server Response Header Scanner [10036] x 5
246	http://dast-4422333-dast-default.34.67.11.220.nip.io/ (308)
247	https://dast-4422333-dast-default.34.67.11.220.nip.io/ (200)
248	http://dast-4422333-dast-default.34.67.11.220.nip.io/robots.txt (308)
249	http://dast-4422333-dast-default.34.67.11.220.nip.io (308)
250	http://dast-4422333-dast-default.34.67.11.220.nip.io/sitemap.xml (308)
251PASS: HTTP Parameter Override [10026]
252PASS: Strict-Transport-Security Header Scanner [10035]
253PASS: User Controllable Charset [10030]
254PASS: Cookie Poisoning [10029]
255PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
256PASS: User Controllable JavaScript Event (XSS) [10043]
257PASS: Open Redirect [10028]
258PASS: X-Backend-Server Header Information Leak [10039]
259PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
260PASS: Application Error Disclosure [90022]
261PASS: Absence of Anti-CSRF Tokens [10202]
262WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 1
263	https://dast-4422333-dast-default.34.67.11.220.nip.io/ (200)
264PASS: Charset Mismatch [90011]
265PASS: CSP Scanner [10055]
266PASS: Content-Type Header Missing [10019]
267PASS: Cookie No HttpOnly Flag [10010]
268PASS: Loosely Scoped Cookie [90033]
269PASS: Cookie Without SameSite Attribute [10054]
270PASS: Cookie Without Secure Flag [10011]
271PASS: Cross-Domain Misconfiguration [10098]
272PASS: Cross-Domain JavaScript Source File Inclusion [10017]
273PASS: Information Disclosure - Debug Error Messages [10023]
274PASS: Information Disclosure - Sensitive Information in URL [10024]
275PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
276PASS: Information Disclosure - Suspicious Comments [10027]
277PASS: Weak Authentication Method [10105]
278PASS: Insecure JSF ViewState [90001]
279PASS: Secure Pages Include Mixed Content [10040]
280PASS: Private IP Disclosure [2]
281PASS: Session ID in URL Rewrite [3]
282PASS: Timestamp Disclosure [10096]
283PASS: Username Hash Found [10057]
284PASS: Viewstate Scanner [10032]
285PASS: X-AspNet-Version Response Header Scanner [10061]
286WARN: X-Content-Type-Options Header Missing [10021] x 1
287	https://dast-4422333-dast-default.34.67.11.220.nip.io/ (200)
288PASS: X-Debug-Token Information Leak [10056]
289WARN: X-Frame-Options Header Scanner [10020] x 1
290	https://dast-4422333-dast-default.34.67.11.220.nip.io/ (200)
291WARN: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 1
292	https://dast-4422333-dast-default.34.67.11.220.nip.io/ (200)
293PASS: Path Traversal [6]
294PASS: Remote File Inclusion [7]
295PASS: Source Code Disclosure - /WEB-INF folder [10045]
296PASS: External Redirect [20019]
297PASS: Server Side Include [40009]
298PASS: Cross Site Scripting (Reflected) [40012]
299PASS: Cross Site Scripting (Persistent) [40014]
300PASS: SQL Injection [40018]
301PASS: Server Side Code Injection [90019]
302PASS: Remote OS Command Injection [90020]
303PASS: Directory Browsing [0]
304PASS: Buffer Overflow [30001]
305PASS: Format String Error [30002]
306PASS: CRLF Injection [40003]
307PASS: Parameter Tampering [40008]
308PASS: Cross Site Scripting (Persistent) - Prime [40016]
309PASS: Cross Site Scripting (Persistent) - Spider [40017]
310PASS: Script Active Scan Rules [50000]
311PASS: Source Code Disclosure - Git  [41]
312PASS: Source Code Disclosure - File Inclusion [43]
313PASS: Remote Code Execution - Shell Shock [10048]
314PASS: Httpoxy - Proxy Header Misuse [10107]
315PASS: Anti CSRF Tokens Scanner [20012]
316PASS: Heartbleed OpenSSL Vulnerability [20015]
317PASS: Cross-Domain Misconfiguration [20016]
318PASS: Source Code Disclosure - CVE-2012-1823 [20017]
319PASS: Remote Code Execution - CVE-2012-1823 [20018]
320PASS: Session Fixation [40013]
321PASS: SQL Injection - MySQL [40019]
322PASS: SQL Injection - Hypersonic SQL [40020]
323PASS: SQL Injection - Oracle [40021]
324PASS: SQL Injection - PostgreSQL [40022]
325PASS: SQL Injection - SQLite [40024]
326PASS: SQL Injection - MsSQL [40027]
327PASS: XPath Injection [90021]
328PASS: XML External Entity Attack [90023]
329PASS: Generic Padding Oracle [90024]
330PASS: Expression Language Injection [90025]
331PASS: Source Code Disclosure - SVN [42]
332PASS: Relative Path Confusion [10051]
333PASS: Apache Range Header DoS (CVE-2011-3192) [10053]
334PASS: Backup File Disclosure [10095]
335PASS: HTTP Only Site [10106]
336PASS: Integer Overflow Error [30003]
337PASS: Proxy Disclosure [40025]
338PASS: ELMAH Information Leak [40028]
339PASS: Trace.axd Information Leak [40029]
340PASS: .htaccess Information Leak [40032]
341PASS: Insecure HTTP Method [90028]
342PASS: HTTPS Content Available via HTTP [10047]
343PASS: GET for POST [10058]
344PASS: User Agent Fuzzer [10104]
345PASS: HTTP Parameter Pollution scanner [20014]
346PASS: Possible Username Enumeration [40023]
347PASS: Cookie Slack Detector [90027]
348SUMMARY - PASS: 102 | WARN: 6
 349  Uploading artifacts for successful job  
  00:02
350Uploading artifacts...
351gl-dast-report.json: found 1 matching files and directories 
352Uploading artifacts as "dast" to coordinator... ok  id=37682933 responseStatus=201 Created token=yfCiy8fb
353Job succeeded
Admin message

Admin message
