dicksnel
commented
4 years ago Does your site work with session cookies or auth tokens? Auth tokens are not supported atm. I am currently building support for it.
Closed SinhaKrBiplab closed 4 years ago
dicksnel
commented
4 years ago Does your site work with session cookies or auth tokens? Auth tokens are not supported atm. I am currently building support for it.
dicksnel
commented
4 years ago Please use the latest version with Authorization header support: #22
Please open a new issue if you are still having problems.
I ran the zap baseline on my site which is a redirection so it redirects to another url. I see it scans only the target url, the python script I modified to login and it gave me the logged in access token also. But for some reason the warnings are only for the target url and not other spider crawled urls. Please help.
I ran this command. zap-baseline.py -t https://qa-pinpoint.ddiworld.com/psg2 -r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=https://qa-pinpoint.ddiworld.com/psg2 auth.username="*" auth.password="" auth.username_field="Username" auth.password_field="Password" auth.submit_field="logon-button" auth.auto=1" -m 4 -j
The warnings came only from the target whereas I am expecting all the logged in api calls also. WARN-NEW: Cookie No HttpOnly Flag [10010] x 16 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) WARN-NEW: Cookie Without Secure Flag [10011] x 16 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 9 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) WARN-NEW: Content-Type Header Missing [10019] x 1 https://qa-pinpoint.ddiworld.com/config (200 OK) WARN-NEW: X-Frame-Options Header Not Set [10020] x 6 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) WARN-NEW: X-Content-Type-Options Header Missing [10021] x 16 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 6 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) WARN-NEW: Cookie Without SameSite Attribute [10054] x 16 https://qa-pinpoint.ddiworld.com/psg2 (200 OK) https://qa-pinpoint.ddiworld.com/robots.txt (200 OK) https://qa-pinpoint.ddiworld.com/sitemap.xml (200 OK) https://qa-pinpoint.ddiworld.com/variables.css (200 OK) https://qa-pinpoint.ddiworld.com/ (200 OK) FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 8 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 42