search

ICTU / zap2docker-auth-weekly

Zap baseline scanner in Docker with authentication
Apache License 2.0
104 stars 70 forks source link

Authenticated login is not scanning post login urls #43

Closed pedro37 closed 2 years ago

pedro37 commented 2 years ago

Hi,

I have created a temporary login at https://demoqa.com I can see authentication but the urls after authentication are not followed. I presume I must be missing something. docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j \ -d -t https://demoqa.com \ -r testreport.html \ --hook=/zap/auth_hook.py \ -z "auth.loginurl=https://demoqa.com/login auth.username=username auth.password=password auth.include=https://demoqa.*"

Logs 2021-11-23 17:12:10,965 Target: https://demoqa.com 2021-11-23 17:12:11,070 Trigger hook: cli_opts, args: 1 2021-11-23 17:12:11,071 Using port: 46852 2021-11-23 17:12:11,072 Trigger hook: start_zap, args: 2 2021-11-23 17:12:11,072 Extra params passed by ZAP: ['-config', 'spider.maxDuration=1', '-addonupdate', '-addoninstall', 'pscanrulesBeta', 'auth.loginurl=https://demoqa.com/login', 'auth.username=username', 'auth.password=password', 'auth.include=https://demoqa.'] 2021-11-23 17:12:11,072 _get_zap_param auth.loginurl: https://demoqa.com/login 2021-11-23 17:12:11,073 _get_zap_param auth.username: username 2021-11-23 17:12:11,073 _get_zap_param auth.password: password 2021-11-23 17:12:11,073 _get_zap_param_list auth.include: ['https://demoqa.'] 2021-11-23 17:12:11,073 Starting ZAP 2021-11-23 17:12:11,074 Params: ['zap-x.sh', '-daemon', '-port', '46852', '-host', '0.0.0.0', '-config', 'database.recoverylog=false', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-addonupdate', '-addoninstall', 'pscanrulesBeta', 'auth.loginurl=https://demoqa.com/login', 'auth.username=username', 'auth.password=password', 'auth.include=https://demoqa.'] 2021-11-23 17:12:11,080 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:12,084 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:13,088 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:14,092 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:15,097 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:16,105 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:17,115 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:18,120 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:19,125 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:20,130 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:21,134 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:22,140 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:23,150 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,154 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,254 http://localhost:46852 "GET http://zap/JSON/core/view/version/ HTTP/1.1" 200 26 2021-11-23 17:12:24,255 ZAP Version D-2021-11-15 2021-11-23 17:12:24,255 Took 13 seconds 2021-11-23 17:12:24,255 Trigger hook: zap_started, args: 2 2021-11-23 17:12:24,257 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,324 http://localhost:46852 "GET http://zap/JSON/ascan/action/updateScanPolicy/?scanPolicyName=Default+Policy&apikey=&attackStrength=LOW HTTP/1.1" 200 15 2021-11-23 17:12:24,327 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,348 http://localhost:46852 "GET http://zap/JSON/replacer/action/addRule/?description=Scanner&enabled=True&matchType=REQ_HEADER&matchRegex=False&matchString=X-Scanner&apikey=&replacement=ZAP HTTP/1.1" 200 15 2021-11-23 17:12:24,353 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,445 http://localhost:46852 "GET http://zap/JSON/context/action/newContext/?contextName=ctx-zap-docker&apikey= HTTP/1.1" 200 17 2021-11-23 17:12:24,448 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,495 http://localhost:46852 "GET http://zap/JSON/context/action/includeInContext/?contextName=ctx-zap-docker&regex=https%3A%2F%2Fdemoqa.%2A&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:24,496 Included https://demoqa. 2021-11-23 17:12:24,497 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,521 http://localhost:46852 "GET http://zap/JSON/context/action/includeInContext/?contextName=ctx-zap-docker&regex=https%3A%2F%2Fdemoqa.com.%2A&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:24,522 Included https://demoqa.com. 2021-11-23 17:12:24,523 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,552 http://localhost:46852 "GET http://zap/JSON/context/action/excludeFromContext/?contextName=ctx-zap-docker&regex=.%2Alogout.%2A&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:24,553 Excluded .logout. 2021-11-23 17:12:24,555 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,572 http://localhost:46852 "GET http://zap/JSON/context/action/excludeFromContext/?contextName=ctx-zap-docker&regex=.%2Auitloggen.%2A&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:24,573 Excluded .uitloggen. 2021-11-23 17:12:24,575 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,593 http://localhost:46852 "GET http://zap/JSON/context/action/excludeFromContext/?contextName=ctx-zap-docker&regex=.%2Aafmelden.%2A&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:24,594 Excluded .afmelden. 2021-11-23 17:12:24,596 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:24,611 http://localhost:46852 "GET http://zap/JSON/context/action/excludeFromContext/?contextName=ctx-zap-docker&regex=.%2Asignout.%2A&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:24,612 Excluded .signout. 2021-11-23 17:12:24,612 Start webdriver 2021-11-23 17:12:25,624 POST http://127.0.0.1:53503/session {"capabilities": {"firstMatch": [{}], "alwaysMatch": {"browserName": "firefox", "acceptInsecureCerts": true, "moz:firefoxOptions": {"profile": "UEsDBBQAAAAIAIyJd1N0S+jrjgMAAPcMAAAHAAAAdXNlci5qc6VWTW/UMBC98ytQTyCx1rbABU6lFAkJUcSq4mg59mTjrmMbe7zp/nvGyaYsbb6AWz7e89hvZt44RQjcByhfnBXBNfTGlKtZo61yDVOp9gysKAyos1fPMSR4+f5ZesoxAiGEZE/ApTBxBG2hQVGwFAzhzkThEr4rjLC7sym8F1tYtn5EETB5lhmEXE+jKlfDEblgL49Z3O3p5FoBqyM6266it9YFGFmAPqkb+6MVOJ6vmbYY3O33L9Phc1Jqcc9lFSgwjzJoj5wU56jrHPT1epiwDBnAu4BcGMPvIod7CR61s3Ew6XdiL7plmetgLFau+Wyv6NEZGCRZwMaFHZOCKHtY5XjCrAiw13ImrxFkChoPTMa+HEeAj5PTgJFZr9lSm2IyoZTO5xQzizRQqECHC1zIrCBPlNsUERSXEHBYzRNSjClHfCBp+gBhhtXpwa3IsnLYgx0J9KAimsiIGelErNaWwOd/IoX3LHlFPc1EQjes9QloUVMqHb0RB1DX5+vNV4eUdSK8GQG7xhonFJWwpWyEtsB+VGA3OU/abqdjXd9+uWR9Y04aV4t8zbp8zZmctjuqeLDUIGR3XTlczGHJvDo3HQe7siT8SE33oABCZWUAQdJOP+kQ8ZK0kCMN92BYooT2mVRbaJ+njFqYRoSlxgsiyOpYFnNQU8bksw30g2DMcSHmUiV3pW0EaHukJBfkMohYzUSpwBgmK5C7j1CKZPBD92eaRtMmMjq2vbFXxsWZo5ygbyjjw2BSRHQum1WtQBisune2yAMn+MnnVrn+R3YfvcwF9T39/faN227zR9m5/1/swzuj5YHlj5tU1LrN8//yv7UfL3839NAysEfnyAbJIVw4bnzyopOHJDlYa7VtWyvyUrvlWfnhGNkjbFu4rYl+7MgbSezsz+frUXhhnNwZHXG6Ik4YbYFfudrTECi0ySZv9bZCc5ilLrHwp3BL/l0ebkcb6eSKMKVqfynoXH519MEVDWNMcXjlnlIh0gWv0rE6rPJvT9NzZcBuMVvCxdu3f9L6pWlqUT6McQ0vDlx1njC4N08W4zHm7ua1U8IsvKOU2gA9MRc0tQXvajRfu2bwEYOWyB/ThkLl+6UlK6yhLiBs2tcRuXKZ7zSyo2z9OD2W8uDBewqCoQgYDqyToj35xRx2UqSn8AB37Tgb3Mm912T7lC2Wj0w1Qe5PjJ9Jh7EIvylNpSlM7qIBxi9QSwECFAMUAAAACACMiXdTdEvo644DAAD3DAAABwAAAAAAAAAAAAAApIEAAAAAdXNlci5qc1BLBQYAAAAAAQABADUAAACzAwAAAAA=", "args": ["-headless"]}}}, "desiredCapabilities": {"browserName": "firefox", "acceptInsecureCerts": true, "marionette": true, "moz:firefoxOptions": {"profile": "UEsDBBQAAAAIAIyJd1N0S+jrjgMAAPcMAAAHAAAAdXNlci5qc6VWTW/UMBC98ytQTyCx1rbABU6lFAkJUcSq4mg59mTjrmMbe7zp/nvGyaYsbb6AWz7e89hvZt44RQjcByhfnBXBNfTGlKtZo61yDVOp9gysKAyos1fPMSR4+f5ZesoxAiGEZE/ApTBxBG2hQVGwFAzhzkThEr4rjLC7sym8F1tYtn5EETB5lhmEXE+jKlfDEblgL49Z3O3p5FoBqyM6266it9YFGFmAPqkb+6MVOJ6vmbYY3O33L9Phc1Jqcc9lFSgwjzJoj5wU56jrHPT1epiwDBnAu4BcGMPvIod7CR61s3Ew6XdiL7plmetgLFau+Wyv6NEZGCRZwMaFHZOCKHtY5XjCrAiw13ImrxFkChoPTMa+HEeAj5PTgJFZr9lSm2IyoZTO5xQzizRQqECHC1zIrCBPlNsUERSXEHBYzRNSjClHfCBp+gBhhtXpwa3IsnLYgx0J9KAimsiIGelErNaWwOd/IoX3LHlFPc1EQjes9QloUVMqHb0RB1DX5+vNV4eUdSK8GQG7xhonFJWwpWyEtsB+VGA3OU/abqdjXd9+uWR9Y04aV4t8zbp8zZmctjuqeLDUIGR3XTlczGHJvDo3HQe7siT8SE33oABCZWUAQdJOP+kQ8ZK0kCMN92BYooT2mVRbaJ+njFqYRoSlxgsiyOpYFnNQU8bksw30g2DMcSHmUiV3pW0EaHukJBfkMohYzUSpwBgmK5C7j1CKZPBD92eaRtMmMjq2vbFXxsWZo5ygbyjjw2BSRHQum1WtQBisune2yAMn+MnnVrn+R3YfvcwF9T39/faN227zR9m5/1/swzuj5YHlj5tU1LrN8//yv7UfL3839NAysEfnyAbJIVw4bnzyopOHJDlYa7VtWyvyUrvlWfnhGNkjbFu4rYl+7MgbSezsz+frUXhhnNwZHXG6Ik4YbYFfudrTECi0ySZv9bZCc5ilLrHwp3BL/l0ebkcb6eSKMKVqfynoXH519MEVDWNMcXjlnlIh0gWv0rE6rPJvT9NzZcBuMVvCxdu3f9L6pWlqUT6McQ0vDlx1njC4N08W4zHm7ua1U8IsvKOU2gA9MRc0tQXvajRfu2bwEYOWyB/ThkLl+6UlK6yhLiBs2tcRuXKZ7zSyo2z9OD2W8uDBewqCoQgYDqyToj35xRx2UqSn8AB37Tgb3Mm912T7lC2Wj0w1Qe5PjJ9Jh7EIvylNpSlM7qIBxi9QSwECFAMUAAAACACMiXdTdEvo644DAAD3DAAABwAAAAAAAAAAAAAApIEAAAAAdXNlci5qc1BLBQYAAAAAAQABADUAAACzAwAAAAA=", "args": ["-headless"]}}} 2021-11-23 17:12:25,624 Starting new HTTP connection (1): 127.0.0.1:53503 2021-11-23 17:12:29,302 http://127.0.0.1:53503 "POST /session HTTP/1.1" 200 693 2021-11-23 17:12:29,302 Finished Request 2021-11-23 17:12:29,303 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/window/rect {"x": null, "y": null, "width": 1920, "height": 1080} 2021-11-23 17:12:29,331 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/window/rect HTTP/1.1" 200 50 2021-11-23 17:12:29,332 Finished Request 2021-11-23 17:12:29,332 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/window/maximize {} 2021-11-23 17:12:29,587 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/window/maximize HTTP/1.1" 200 50 2021-11-23 17:12:29,588 Finished Request 2021-11-23 17:12:29,588 authenticate using webdriver against URL: https://demoqa.com/login 2021-11-23 17:12:29,588 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/url {"url": "https://demoqa.com/login"} 2021-11-23 17:12:31,480 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/url HTTP/1.1" 200 14 2021-11-23 17:12:31,480 Finished Request 2021-11-23 17:12:36,482 automatically finding login elements 2021-11-23 17:12:36,482 Trying to find element username 2021-11-23 17:12:36,482 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='username') and (@type='text' or @type='email' or @type='number' or not(@type))] 2021-11-23 17:12:36,482 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element {"using": "xpath", "value": "//input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='username') and (@type='text' or @type='email' or @type='number' or not(@type))]"} 2021-11-23 17:12:36,507 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element HTTP/1.1" 200 88 2021-11-23 17:12:36,507 Finished Request 2021-11-23 17:12:36,507 Found element username by id 2021-11-23 17:12:36,508 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/b854ce8d-4a2b-44e8-b965-a1ff033eedae/clear {"id": "b854ce8d-4a2b-44e8-b965-a1ff033eedae"} 2021-11-23 17:12:36,540 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/b854ce8d-4a2b-44e8-b965-a1ff033eedae/clear HTTP/1.1" 200 14 2021-11-23 17:12:36,540 Finished Request 2021-11-23 17:12:36,541 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/b854ce8d-4a2b-44e8-b965-a1ff033eedae/value {"text": "username", "value": ["u", "s", "e", "r", "n", "a", "m", "e"], "id": "b854ce8d-4a2b-44e8-b965-a1ff033eedae"} 2021-11-23 17:12:36,738 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/b854ce8d-4a2b-44e8-b965-a1ff033eedae/value HTTP/1.1" 200 14 2021-11-23 17:12:36,738 Finished Request 2021-11-23 17:12:36,738 Filled the username element 2021-11-23 17:12:36,738 Trying to find element password 2021-11-23 17:12:36,739 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))] 2021-11-23 17:12:36,739 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element {"using": "xpath", "value": "//input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))]"} 2021-11-23 17:12:36,744 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element HTTP/1.1" 200 88 2021-11-23 17:12:36,745 Finished Request 2021-11-23 17:12:36,745 Found element password by id 2021-11-23 17:12:36,745 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/e9d401fd-712b-46b4-8686-6f694191e950/clear {"id": "e9d401fd-712b-46b4-8686-6f694191e950"} 2021-11-23 17:12:36,761 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/e9d401fd-712b-46b4-8686-6f694191e950/clear HTTP/1.1" 200 14 2021-11-23 17:12:36,762 Finished Request 2021-11-23 17:12:36,763 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/e9d401fd-712b-46b4-8686-6f694191e950/value {"text": "passwprd", "value": ["p", "a", "s", "s", "w", "o", "r", "d"], "id": "e9d401fd-712b-46b4-8686-6f694191e950"} 2021-11-23 17:12:36,840 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/e9d401fd-712b-46b4-8686-6f694191e950/value HTTP/1.1" 200 14 2021-11-23 17:12:36,840 Finished Request 2021-11-23 17:12:36,840 Filled the password element 2021-11-23 17:12:36,841 Trying to find element login 2021-11-23 17:12:36,841 Built xpath: //[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)] 2021-11-23 17:12:36,841 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element {"using": "xpath", "value": "//[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]"} 2021-11-23 17:12:36,854 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element HTTP/1.1" 200 88 2021-11-23 17:12:36,854 Finished Request 2021-11-23 17:12:36,854 Found element login by id 2021-11-23 17:12:36,854 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/0c7a8e85-118d-4f78-a862-9cce041f094b/click {"id": "0c7a8e85-118d-4f78-a862-9cce041f094b"} 2021-11-23 17:12:37,106 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/element/0c7a8e85-118d-4f78-a862-9cce041f094b/click HTTP/1.1" 200 14 2021-11-23 17:12:37,106 Finished Request 2021-11-23 17:12:37,106 Clicked the login element 2021-11-23 17:12:42,077 Finding authentication cookies 2021-11-23 17:12:42,079 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,087 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/addSessionToken/?site=https%3A%2F%2Fdemoqa.com&sessionToken=session_token&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,089 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,107 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/createEmptySession/?site=https%3A%2F%2Fdemoqa.com&apikey=&session=auth-session HTTP/1.1" 200 15 2021-11-23 17:12:42,108 GET http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/cookie {} 2021-11-23 17:12:42,118 http://127.0.0.1:53503 "GET /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/cookie HTTP/1.1" 200 1175 2021-11-23 17:12:42,119 Finished Request 2021-11-23 17:12:42,121 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,126 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=_ga&tokenValue=GA1.2.121671487.1637687551&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,127 Cookie added: _ga=GA1.2.121671487.1637687551 2021-11-23 17:12:42,130 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,135 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=_gid&tokenValue=GA1.2.1784877309.1637687551&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,136 Cookie added: _gid=GA1.2.1784877309.1637687551 2021-11-23 17:12:42,138 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,145 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=_gat_gtag_UA_109033876_1&tokenValue=1&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,146 Cookie added: _gat_gtag_UA_109033876_1=1 2021-11-23 17:12:42,148 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,153 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=token&tokenValue=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyTmFtZSI6InBldGVwZXJmZWN0IiwicGFzc3dvcmQiOiJUZXN0IVRlc3QhMTEiLCJpYXQiOjE2Mzc2ODc1NTZ9.xYKcRuxRIymzfy2809SKlVQOCxFDKa0VDTs66l06qJg&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,154 Cookie added: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyTmFtZSI6InBldGVwZXJmZWN0IiwicGFzc3dvcmQiOiJUZXN0IVRlc3QhMTEiLCJpYXQiOjE2Mzc2ODc1NTZ9.xYKcRuxRIymzfy2809SKlVQOCxFDKa0VDTs66l06qJg 2021-11-23 17:12:42,156 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,160 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=expires&tokenValue=2021-11-30T17%253A12%253A36.979Z&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,161 Cookie added: expires=2021-11-30T17%3A12%3A36.979Z 2021-11-23 17:12:42,164 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,169 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=userID&tokenValue=201225b8-58b3-4284-b54c-0e9447a8e374&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,170 Cookie added: userID=201225b8-58b3-4284-b54c-0e9447a8e374 2021-11-23 17:12:42,173 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,178 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&sessionToken=userName&tokenValue=username&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,179 Cookie added: userName=username 2021-11-23 17:12:42,182 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,187 http://localhost:46852 "GET http://zap/JSON/httpSessions/action/setActiveSession/?site=https%3A%2F%2Fdemoqa.com&session=auth-session&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,193 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,200 http://localhost:46852 "GET http://zap/JSON/httpSessions/view/activeSession/?site=https%3A%2F%2Fdemoqa.com HTTP/1.1" 200 33 2021-11-23 17:12:42,201 Active session: auth-session 2021-11-23 17:12:42,201 Finding authentication headers 2021-11-23 17:12:42,202 POST http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/execute/sync {"script": "var ls = window.localStorage, items = {}; for (var i = 0, k; i < ls.length; ++i) items[k = ls.key(i)] = ls.getItem(k); return items; ", "args": []} 2021-11-23 17:12:42,216 http://127.0.0.1:53503 "POST /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff/execute/sync HTTP/1.1" 200 12 2021-11-23 17:12:42,216 Finished Request 2021-11-23 17:12:42,217 DELETE http://127.0.0.1:53503/session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff {} 2021-11-23 17:12:42,914 http://127.0.0.1:53503 "DELETE /session/3a1afbcf-0114-4b1b-abf6-e76a1178bcff HTTP/1.1" 200 14 2021-11-23 17:12:42,915 Finished Request 2021-11-23 17:12:42,916 Tune 2021-11-23 17:12:42,916 Disable all tags 2021-11-23 17:12:42,920 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,930 http://localhost:46852 "GET http://zap/JSON/pscan/action/disableAllTags/?apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,930 Set max pscan alerts 2021-11-23 17:12:42,932 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:42,936 http://localhost:46852 "GET http://zap/JSON/pscan/action/setMaxAlertsPerRule/?maxAlerts=10&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:42,937 Trigger hook: zap_tuned, args: 1 2021-11-23 17:12:42,937 Trigger hook: zap_access_target, args: 2 2021-11-23 17:12:42,940 Starting new HTTPS connection (1): demoqa.com:443 2021-11-23 17:12:43,498 https://demoqa.com:443 "GET / HTTP/1.1" 200 2450 2021-11-23 17:12:45,503 Trigger hook: zap_spider, args: 2 2021-11-23 17:12:45,503 Spider https://demoqa.com 2021-11-23 17:12:45,506 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:45,520 http://localhost:46852 "GET http://zap/JSON/spider/action/scan/?apikey=&url=https%3A%2F%2Fdemoqa.com&contextName=ctx-zap-docker HTTP/1.1" 200 12 2021-11-23 17:12:50,527 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:50,531 http://localhost:46852 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 16 2021-11-23 17:12:50,532 Spider complete 2021-11-23 17:12:50,532 Trigger hook: zap_spider_wrap, args: 1 2021-11-23 17:12:50,532 Trigger hook: zap_ajax_spider, args: 3 2021-11-23 17:12:50,534 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:50,538 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/?Integer=1&apikey= HTTP/1.1" 200 15 2021-11-23 17:12:50,538 AjaxSpider https://demoqa.com 2021-11-23 17:12:50,540 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:50,565 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/action/scan/?apikey=&url=https%3A%2F%2Fdemoqa.com&contextName=ctx-zap-docker HTTP/1.1" 200 15 2021-11-23 17:12:55,573 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:55,577 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/status/ HTTP/1.1" 200 20 2021-11-23 17:12:55,580 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:12:55,585 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/numberOfResults/ HTTP/1.1" 200 23 2021-11-23 17:12:55,586 Ajax Spider running, found urls: 2 2021-11-23 17:13:00,591 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:00,594 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/status/ HTTP/1.1" 200 20 2021-11-23 17:13:00,597 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:00,599 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/numberOfResults/ HTTP/1.1" 200 24 2021-11-23 17:13:00,601 Ajax Spider running, found urls: 13 2021-11-23 17:13:05,603 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:05,606 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/status/ HTTP/1.1" 200 20 2021-11-23 17:13:05,608 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:05,612 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/numberOfResults/ HTTP/1.1" 200 24 2021-11-23 17:13:05,614 Ajax Spider running, found urls: 25 2021-11-23 17:13:10,587 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,590 http://localhost:46852 "GET http://zap/JSON/ajaxSpider/view/status/ HTTP/1.1" 200 20 2021-11-23 17:13:10,591 Ajax Spider complete 2021-11-23 17:13:10,591 Trigger hook: zap_ajax_spider_wrap, args: 1 2021-11-23 17:13:10,594 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,599 http://localhost:46852 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21 2021-11-23 17:13:10,600 Records to scan... 2021-11-23 17:13:10,603 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,606 http://localhost:46852 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21 2021-11-23 17:13:10,608 Passive scanning complete 2021-11-23 17:13:10,612 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,619 http://localhost:46852 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 360 Total of 11 URLs 2021-11-23 17:13:10,620 Trigger hook: zap_get_alerts, args: 4 2021-11-23 17:13:10,623 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,829 http://localhost:46852 "GET http://zap/JSON/core/view/alerts/?baseurl=https%3A%2F%2Fdemoqa.com&start=0&count=5000 HTTP/1.1" 200 88631 2021-11-23 17:13:10,832 Reading 5000 alerts from 0 2021-11-23 17:13:10,833 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,944 http://localhost:46852 "GET http://zap/JSON/core/view/alerts/?start=5000&count=5000 HTTP/1.1" 200 13 2021-11-23 17:13:10,946 Total number of alerts: 73 2021-11-23 17:13:10,947 Trigger hook: zap_get_alerts_wrap, args: 1 2021-11-23 17:13:10,951 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,964 http://localhost:46852 "GET http://zap/JSON/pscan/view/scanners/ HTTP/1.1" 200 6415 PASS: Vulnerable JS Library [10003] PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Content-Type Header Missing [10019] PASS: Information Disclosure - Debug Error Messages [10023] PASS: Information Disclosure - Sensitive Information in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Open Redirect [10028] PASS: Cookie Poisoning [10029] PASS: User Controllable Charset [10030] PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] PASS: Viewstate [10032] PASS: Directory Browsing [10033] PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] PASS: X-Backend-Server Header Information Leak [10039] PASS: Secure Pages Include Mixed Content [10040] PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] PASS: User Controllable JavaScript Event (XSS) [10043] PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] PASS: Retrieved from Cache [10050] PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] PASS: Cookie without SameSite Attribute [10054] PASS: CSP [10055] PASS: X-Debug-Token Information Leak [10056] PASS: Username Hash Found [10057] PASS: X-AspNet-Version Response Header [10061] PASS: PII Disclosure [10062] PASS: Hash Disclosure [10097] PASS: Cross-Domain Misconfiguration [10098] PASS: Weak Authentication Method [10105] PASS: Reverse Tabnabbing [10108] PASS: Modern Web Application [10109] PASS: Absence of Anti-CSRF Tokens [10202] PASS: Private IP Disclosure [2] PASS: Session ID in URL Rewrite [3] PASS: Script Passive Scan Rules [50001] PASS: Insecure JSF ViewState [90001] PASS: Charset Mismatch [90011] PASS: Application Error Disclosure [90022] PASS: WSDL File Detection [90030] PASS: Loosely Scoped Cookie [90033] 2021-11-23 17:13:10,966 Trigger hook: print_rules_wrap, args: 2 2021-11-23 17:13:10,966 Trigger hook: print_rules_wrap, args: 2 WARN-NEW: Incomplete or No Cache-control Header Set [10015] x 4 2021-11-23 17:13:10,969 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,987 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:10,991 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:10,997 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,000 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,003 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,006 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,009 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) WARN-NEW: Cross-Domain JavaScript Source File Inclusion [10017] x 12 2021-11-23 17:13:11,011 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,014 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,017 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,020 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,022 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,026 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,028 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,035 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,037 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,040 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) WARN-NEW: X-Frame-Options Header Not Set [10020] x 4 2021-11-23 17:13:11,043 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,046 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,049 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,052 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,055 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,059 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,062 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,065 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) WARN-NEW: X-Content-Type-Options Header Missing [10021] x 8 2021-11-23 17:13:11,068 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,072 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,078 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,083 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,088 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,093 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,099 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,105 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) 2021-11-23 17:13:11,111 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,119 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=14 HTTP/1.1" 200 2351 https://demoqa.com/favicon.png (200 OK) WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 8 2021-11-23 17:13:11,126 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,132 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,137 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,141 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,144 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,150 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,158 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,164 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) 2021-11-23 17:13:11,167 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,172 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=14 HTTP/1.1" 200 2351 https://demoqa.com/favicon.png (200 OK) WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 8 2021-11-23 17:13:11,176 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,182 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,186 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,190 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,200 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,205 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,208 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,213 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) 2021-11-23 17:13:11,217 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,223 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=14 HTTP/1.1" 200 2351 https://demoqa.com/favicon.png (200 OK) WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 8 2021-11-23 17:13:11,231 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,235 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,238 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,244 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,247 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,251 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,255 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,260 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) 2021-11-23 17:13:11,265 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,268 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=14 HTTP/1.1" 200 2351 https://demoqa.com/favicon.png (200 OK) WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4 2021-11-23 17:13:11,271 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,276 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,278 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,282 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,284 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,290 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,296 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,301 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) WARN-NEW: Timestamp Disclosure - Unix [10096] x 10 2021-11-23 17:13:11,305 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,309 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=1 HTTP/1.1" 200 4016 https://demoqa.com/ (200 OK) 2021-11-23 17:13:11,313 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,319 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=7 HTTP/1.1" 200 4077 https://demoqa.com (200 OK) 2021-11-23 17:13:11,322 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,336 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=8 HTTP/1.1" 200 4088 https://demoqa.com/robots.txt (200 OK) 2021-11-23 17:13:11,338 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,342 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=12 HTTP/1.1" 200 4089 https://demoqa.com/sitemap.xml (200 OK) 2021-11-23 17:13:11,346 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:11,356 http://localhost:46852 "GET http://zap/JSON/core/view/message/?id=15 HTTP/1.1" 200 56484 https://demoqa.com/main.css (200 OK) 2021-11-23 17:13:11,358 Trigger hook: print_rules_wrap, args: 2 2021-11-23 17:13:11,358 Trigger hook: print_rules_wrap, args: 2 2021-11-23 17:13:11,360 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:12,656 http://localhost:46852 "GET http://zap/OTHER/core/other/htmlreport/?apikey= HTTP/1.1" 200 77244 FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 9 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 44 2021-11-23 17:13:12,673 Trigger hook: zap_pre_shutdown, args: 1 2021-11-23 17:13:12,674 Overview of spidered URL's: 2021-11-23 17:13:12,686 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:12,715 http://localhost:46852 "GET http://zap/JSON/spider/view/allUrls/ HTTP/1.1" 200 215 2021-11-23 17:13:12,716 found: https://demoqa.com 2021-11-23 17:13:12,717 found: https://demoqa.com/robots.txt 2021-11-23 17:13:12,717 found: https://demoqa.com/sitemap.xml 2021-11-23 17:13:12,717 found: https://demoqa.com/ 2021-11-23 17:13:12,717 found: https://demoqa.com/favicon.png 2021-11-23 17:13:12,718 found: https://demoqa.com/main.css 2021-11-23 17:13:12,718 found: https://demoqa.com/bundle.js 2021-11-23 17:13:12,726 Starting new HTTP connection (1): localhost:46852 2021-11-23 17:13:12,733 http://localhost:46852 "GET http://zap/JSON/core/action/shutdown/?apikey= HTTP/1.1" 200 15 2021-11-23 17:13:12,735 Trigger hook: pre_exit, args: 3

dicksnel commented 2 years ago

@pedro37 I think it has something to do with your site using a lot of Javascript. Because many links that do not require authentication are not spidered as well. Maybe the Ajax spider is not working properly. Can you try running the official image and see if all URL's without authentication are properly spidered?

dhodyrahmad commented 1 year ago

Hi, I'm running the same issue. after login page, the zap not scanning all path of the targets. did you mean try using zaproxy image?

dicksnel commented 1 year ago

@dhodyrahmad can you provide a full log?

dhodyrahmad commented 1 year ago

Hi @dicksnel , thanks for replying. Im doing little modification with the auth and showing the url to scan

Im running with : zap-full-scan.py -I -j -m 10 -T 60 -t "https://url.id" --hook=/zap/auth_hook.py -J zap-$CI_PROJECT_NAME-report.json -r zap-$CI_PROJECT_NAME-report.html -x zap-$CI_PROJECT_NAME-report.xml -z 'auth.loginurl="https://url.id/login" auth.username="user@alto.id" auth.password="P4ssw0rd" auth.exclude="https://url.id/logout" auth.username_field="email" auth.password_field="password" auth.first_submit_field="Continue" auth.submit_field="LOGIN" auth.include="https://url.id/path1, https://url.id/path2"'

logs: 023-01-03 04:09:00,895 _get_zap_param auth.loginurl: https://url.id/login 2023-01-03 04:09:00,895 _get_zap_param auth.username: user@alto.id 2023-01-03 04:09:00,895 _get_zap_param auth.password: P4ssw0rd 2023-01-03 04:09:00,895 _get_zap_param auth.username_field: email 2023-01-03 04:09:00,895 _get_zap_param auth.password_field: password 2023-01-03 04:09:00,895 _get_zap_param auth.submit_field: LOGIN 2023-01-03 04:09:00,895 _get_zap_param auth.first_submit_field: Continue 2023-01-03 04:09:00,895 _get_zap_param_list auth.exclude: ['https://url.id/logout'] 2023-01-03 04:09:00,895 _get_zap_param_list auth.include: ['https://url.id/path1', ' https://url.id/path2'] 2023-01-03 04:09:11,227 Included https://url.id/path1 2023-01-03 04:09:11,265 Included https://url.id/path2 2023-01-03 04:09:11,414 Excluded https://url.id/logout 2023-01-03 04:09:11,414 Start webdriver 2023-01-03 04:09:13,432 authenticate using webdriver against URL: https://url.id/login 2023-01-03 04:09:19,502 automatically finding login elements 2023-01-03 04:09:19,502 Trying to find element email 2023-01-03 04:09:19,502 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='email') and (@type='text' or @type='email' or @type='number' or not(@type))] 2023-01-03 04:09:19,540 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='email') and (@type='text' or @type='email' or @type='number' or not(@type))] 2023-01-03 04:09:19,573 Found element email by name 2023-01-03 04:09:19,710 Filled the email element 2023-01-03 04:09:19,710 Trying to find element password 2023-01-03 04:09:19,710 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))] 2023-01-03 04:09:19,729 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))] 2023-01-03 04:09:19,755 Found element password by name 2023-01-03 04:09:19,790 Did not find the password field - clicking Next button and trying again 2023-01-03 04:09:19,882 button Continue success 2023-01-03 04:09:19,884 Trying to find element password 2023-01-03 04:09:19,884 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))] 2023-01-03 04:09:29,949 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))] 2023-01-03 04:09:29,968 Found element password by name 2023-01-03 04:09:30,180 Filled the password element 2023-01-03 04:09:30,243 button LOGIN success 2023-01-03 04:09:35,249 Finding authentication cookies 2023-01-03 04:09:35,308 Cookie added: accessToken=token 2023-01-03 04:09:35,327 Active session: auth-session 2023-01-03 04:09:35,327 Finding authentication headers 2023-01-03 04:09:35,344 Found Local or Session Storage item: dataAccess: [{"parentId":1,"menuId":1,"menu":"Monitoring","typ 2023-01-03 04:09:35,359 Found Local or Session Storage item: dataLogin: {"accessToken":"token 2023-01-03 04:09:35,376 Authorization header added: Bearer token 2023-01-03 04:09:35,385 Found Local or Session Storage item: dataParameter: [{"parameterId":"max_send_email_attempt","value":" 2023-01-03 04:09:35,398 Found Local or Session Storage item: dataUser: {"id":39,"email":"user@google.com","userName":"user 2023-01-03 04:09:35,416 Found Local or Session Storage item: isLoggedin: true Total of 25 URLs ['https://url.id', 'https://url.id/', 'https://url/_next', 'https://url/_next/static', 'https://url.id/_next/static/0IpQV7yOuOwgF84a0VbK9', 'https://url.id/_next/static/0IpQV7yOuOwgF84a0VbK9/_buildManifest.js', 'https://url.id/_next/static/0IpQV7yOuOwgF84a0VbK9/_ssgManifest.js', 'https://url.id/_next/static/chunks', 'https://url.id/_next/static/chunks/196-346c0f26fe0af850.js', 'https://url.id/_next/static/chunks/8342-a665f5aca586f7f5.js', 'https://url.id/_next/static/chunks/9272-77d73fe56ed12c2a.js', 'https://url.id/_next/static/chunks/framework-4ed89e9640adfb9e.js', 'https://url.id/_next/static/chunks/main-f5e0661ff7893278.js', 'https://url.id/_next/static/chunks/pages', 'https://url.id/_next/static/chunks/pages/404-ba3883ea9e06b786.js', 'https://url.id/_next/static/chunks/pages/_app-98137182b9474f25.js', 'https://url.id/_next/static/chunks/pages/index-59239617b2a79521.js', 'https://url.id/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js', 'https://url.id/_next/static/chunks/webpack-3c67ae7a563786aa.js', 'https://url.id/_next/static/css', 'https://url.id/_next/static/css/7728a5f98bae38fd.css', 'https://url.id/apple-icon.png', 'https://url.id/favicon.ico', 'https://url.id/robots.txt', 'https://url.id/sitemap.xml'] PASS: Directory Browsing [0] PASS: Vulnerable JS Library (Powered by Retire.js) [10003] PASS: In Page Banner Information Leak [10009] PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Re-examine Cache-control Directives [10015] PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: Information Disclosure - Debug Error Messages [10023] PASS: Information Disclosure - Sensitive Information in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Open Redirect [10028] PASS: Cookie Poisoning [10029] PASS: User Controllable Charset [10030] PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] PASS: Viewstate [10032] PASS: Directory Browsing [10033] PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] PASS: HTTP Server Response Header [10036] PASS: X-Backend-Server Header Information Leak [10039] PASS: Secure Pages Include Mixed Content [10040] PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] PASS: User Controllable JavaScript Event (XSS) [10043] PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] PASS: Source Code Disclosure - /WEB-INF folder [10045] PASS: HTTPS Content Available via HTTP [10047] PASS: Remote Code Execution - Shell Shock [10048] PASS: Content Cacheability [10049] PASS: Retrieved from Cache [10050] PASS: Relative Path Confusion [10051] PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] PASS: Cookie without SameSite Attribute [10054] PASS: CSP [10055] PASS: X-Debug-Token Information Leak [10056] PASS: Username Hash Found [10057] PASS: GET for POST [10058] PASS: X-AspNet-Version Response Header [10061] PASS: PII Disclosure [10062] PASS: Backup File Disclosure [10095] PASS: Hash Disclosure [10097] PASS: Cross-Domain Misconfiguration [10098] PASS: User Agent Fuzzer [10104] PASS: Weak Authentication Method [10105] PASS: HTTP Only Site [10106] PASS: Httpoxy - Proxy Header Misuse [10107] PASS: Reverse Tabnabbing [10108] PASS: Modern Web Application [10109] PASS: Dangerous JS Functions [10110] PASS: Absence of Anti-CSRF Tokens [10202] PASS: Private IP Disclosure [2] PASS: Anti-CSRF Tokens Check [20012] PASS: HTTP Parameter Pollution [20014] PASS: Heartbleed OpenSSL Vulnerability [20015] PASS: Cross-Domain Misconfiguration [20016] PASS: Source Code Disclosure - CVE-2012-1823 [20017] PASS: Remote Code Execution - CVE-2012-1823 [20018] PASS: External Redirect [20019] PASS: Session ID in URL Rewrite [3] PASS: Buffer Overflow [30001] PASS: Format String Error [30002] PASS: Integer Overflow Error [30003] PASS: CRLF Injection [40003] PASS: Parameter Tampering [40008] PASS: Server Side Include [40009] PASS: Cross Site Scripting (Reflected) [40012] PASS: Session Fixation [40013] PASS: Cross Site Scripting (Persistent) [40014] PASS: Cross Site Scripting (Persistent) - Prime [40016] PASS: Cross Site Scripting (Persistent) - Spider [40017] PASS: SQL Injection [40018] PASS: SQL Injection - MySQL [40019] PASS: SQL Injection - Hypersonic SQL [40020] PASS: SQL Injection - Oracle [40021] PASS: SQL Injection - PostgreSQL [40022] PASS: Possible Username Enumeration [40023] PASS: SQL Injection - SQLite [40024] PASS: Cross Site Scripting (DOM Based) [40026] PASS: SQL Injection - MsSQL [40027] PASS: ELMAH Information Leak [40028] PASS: Trace.axd Information Leak [40029] PASS: Out of Band XSS [40031] PASS: .htaccess Information Leak [40032] PASS: .env Information Leak [40034] PASS: Hidden File Finder [40035] PASS: Bypassing 403 [40038] PASS: CORS Header [40040] PASS: Spring Actuator Information Leak [40042] PASS: Log4Shell [40043] PASS: Exponential Entity Expansion (Billion Laughs Attack) [40044] PASS: Spring4Shell [40045] PASS: Source Code Disclosure - Git [41] PASS: Source Code Disclosure - SVN [42] PASS: Source Code Disclosure - File Inclusion [43] PASS: Script Active Scan Rules [50000] PASS: Script Passive Scan Rules [50001] PASS: Path Traversal [6] PASS: Remote File Inclusion [7] PASS: Insecure JSF ViewState [90001] PASS: Java Serialization Object [90002] PASS: Sub Resource Integrity Attribute Missing [90003] PASS: Charset Mismatch [90011] PASS: XSLT Injection [90017] PASS: Server Side Code Injection [90019] PASS: Remote OS Command Injection [90020] PASS: XPath Injection [90021] PASS: XML External Entity Attack [90023] PASS: Generic Padding Oracle [90024] PASS: Expression Language Injection [90025] PASS: SOAP Action Spoofing [90026] PASS: Cookie Slack Detector [90027] PASS: Insecure HTTP Method [90028] PASS: SOAP XML Injection [90029] PASS: WSDL File Detection [90030] PASS: Loosely Scoped Cookie [90033] PASS: Cloud Metadata Potentially Exposed [90034] PASS: Server Side Template Injection [90035] PASS: Server Side Template Injection (Blind) [90036] WARN-NEW: Missing Anti-clickjacking Header [10020] x 2 https://url.id (200 OK) https://url.id/ (200 OK) WARN-NEW: X-Content-Type-Options Header Missing [10021] x 11 https://url.id (200 OK) https://url.id/ (200 OK) https://url.id/apple-icon.png (200 OK) https://url.id/_next/static/chunks/webpack-3c67ae7a563786aa.js (200 OK) https://url.id/favicon.ico (200 OK) WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 11 https://url.id/robots.txt (404 Not Found) https://url.id/sitemap.xml (404 Not Found) https://url.id (200 OK) https://url.id/ (200 OK) https://url.id/apple-icon.png (200 OK) WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 4 https://url.id/robots.txt (404 Not Found) https://url.id/sitemap.xml (404 Not Found) https://url.id (200 OK) https://url.id/ (200 OK) WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4 https://url.id/robots.txt (404 Not Found) https://url.id/sitemap.xml (404 Not Found) https://url.id (200 OK) https://url.id/ (200 OK) WARN-NEW: Permissions Policy Header Not Set [10063] x 11 https://url.id/sitemap.xml (404 Not Found) https://url.id/robots.txt (404 Not Found) https://url.id (200 OK) https://url.id/ (200 OK) https://url.id/_next/static/chunks/webpack-3c67ae7a563786aa.js (200 OK) WARN-NEW: Timestamp Disclosure - Unix [10096] x 18 https://url.id/apple-icon.png (200 OK) https://url.id/_next/static/chunks/8342-a665f5aca586f7f5.js (200 OK) https://url.id/_next/static/chunks/8342-a665f5aca586f7f5.js (200 OK) https://url.id/_next/static/chunks/8342-a665f5aca586f7f5.js (200 OK) https://url.id/_next/static/chunks/8342-a665f5aca586f7f5.js (200 OK) WARN-NEW: Proxy Disclosure [40025] x 25 https://url.id/ (200 OK) https://url.id (200 OK) https://url.id/_.next (404 Not Found) https://url.id/_next/static (404 Not Found) https://url.id/_next/static/0IpQV7yOuOwgF84a0VbK9 (404 Not Found) WARN-NEW: Application Error Disclosure [90022] x 1 https://url.id/_next/static/chunks/main-f5e0661ff7893278.js (200 OK) FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 9 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 120

I need to scan all the paths on include urls, and in "Total urls" im not see any of include url I attached before. I tried change using target with one of my include url (ex: https://url.id/path1), Its scanned path /path1 but still not scan others path. Am I missed something?