Spider is not using the logged in session

[mantri-govind]

Hi

Thanks a lot for this solution for authenticating form-based applications, it works very smooth. However due to some reason I feel spider is not taking the same session to browser thru the application. For eg. My target url is http:\\www.example.com:3000/abc its a RoR based application. Script does the authentication and get a cookie post that spider starts and it is traversing only the login page and its assets like js css etc. my configuration is as follows

docker run --rm -v $(pwd):/zap/wrk/:rw -t zap-scan zap-baseline-custom.py -r testreport.html -g gen.conf -d -m 3 \ -t http://example.com:3000/abc/ \ --auth_auto \ --auth_loginurl "http://example.com:3000/abc/users/sign_in" \ --auth_username admin \ --auth_password changeme \ --auth_exclude "http://example.com:3000/abc/users/sign_out"

In my rails log I can see user got authenticated but post that when spider starts, I feel it is not using the same session hence it is not able to browse through the all links... Can you please check if I'm missing something like spider depth or anything?

TIA

[dicksnel]

Hi, can you please post the console output?

[mantri-govind]

@dicksnel console output

` A dash may be used with the "merge" and "source" to read from the standard input. Commands beginning with "n" use numeric format.

DEBUG:easyprocess:param: "['Xvfb', '-br', '-nolisten', 'tcp', '-screen', '0', '1024x768x24', ':1001']" DEBUG:easyprocess:command: ['Xvfb', '-br', '-nolisten', 'tcp', '-screen', '0', '1024x768x24', ':1001'] DEBUG:easyprocess:joined command: Xvfb -br -nolisten tcp -screen 0 1024x768x24 :1001 DEBUG:easyprocess:process was started (pid=241) DEBUG:pyvirtualdisplay.abstractdisplay:DISPLAY=:1001 DEBUG:root:Run the webdriver for authentication DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session {"requiredCapabilities": {}, "desiredCapabilities": {"binary": "/usr/bin/firefox", "javascriptEnabled": true, "firefox_profile": "UEsDBBQAAAAIAOoiTU59dOtg9wMAAOMOAAAHAAAAdXNlci5qc51XTW8bNxC991cEPjVARdhxc2lPruMCBYK4iGDkSHDJWS0tLsmQQ6317zvkSrBkablyb/tFcubNe29mU4TAfYD21yslUATwLqC2K+ad0XLL8sNlanodo3b23/LwTkrwCOrqtw+tMBE+/vlLOtjG9awXL1x2wfXAowzaIw/JctQ90Jrb6+MFAzQq6A3dgxWNAW4F0i2HDViMtABDenMGOmfWGpkFHFxY98KKFQSmdMwbnF0SQaagccsGESzfaBgoS97rF1Asdm7gzko4n9Gz2IgxDeY8EgyxrPjH3tOlmzgPXhBsLB8nTygCG7ObQO04PEocQo5vALE+v6AJbqA79vD09Y7dMvFak9NYhPcXBbGHFcFADxi2LMAzyKlt9yFEEEF2uxPq0UbRQrnOFOuFoWxnYtqVmHWIPvNqIZ21FFNGduEhLOhT4g4tvrmuQWpAbDKi5SnMlfxYCx0Ig914z/J5WgJrdYj4PdnzG7ySWsSYSAfJEoCRoOQkpVQCriBKp2PyrCMFeaI2d7RT0ApYH9HZHPSVXlkX4Kq+QV5MH78DmQvYtg+mmgKKJpb9H+2jhwmUXhlU7IVyo9IEKIC1ZB9cBhG782tPBWYd6nb7FAu4NY3J6Hekq4eVrYxsQrmBqdT7A6JW9S47kOt713vysUabfKLVqw7NdgaFN1XPVRaNS/hHY4RdT5TaUOqB7LUuo70rz9vxCfcGMDI7eQqmHpGCTXaQyCgeF+RojlXQKqZch8q1rdF2ony1DJhQSmfzEDPJHPmO73Tstov82pOeFwbsCjMvP33+PNkraol7IrfHmFXCe6eEmanetB0Zt1rlhzu4H2rbnHXh6sEvXpMqhTEskt8IJIOIJNCfSYfZQzqgZUULX6AVyeBf45t3NcCaKZ22q3d2t7EK5ftPUw4wWOOEYvsRI/eNHx3YZeYYBTittt0wwh25H1epZJO3qqNGrF6zsiQbShhpOhGchYH4kxn+v9mzb2aXzSatNkBXZFRBS+QuaKIeHyfFeloBhMpwApZx4u/cO+8oHjk/PTXGybXRES+bE8ZCLXYGsSDyYorvxiX5XKqqmA5C3GuwpviDGUwkdBNI56ZuCa0e+gbCstxORF+ZGOemm1OyEZXGRnfKtoM8c+BfRlovJa2LZ6auY3Ky2aZR1f3smEY6GyvGyaP4cyTV5DlYj6idVuHVz4ZOkxFkWtXt7GCQKyP2wSAnIUz8n5wZgu6Ni1P96giCmP+2kFOcFeu74F+tSt69PIiVVFZjCOVmy9Xo0/VWvTeBt+q/nRrtTBuTH1U1kmFikKFH6tH+KDSMN9dME9Du6fvXy8YgsltvxBbUw8318htNgoUzv9PH/wFQSwECFAMUAAAACADqIk1OfXTrYPcDAADjDgAABwAAAAAAAAAAAAAApIEAAAAAdXNlci5qc1BLBQYAAAAAAQABADUAAAAcBAAAAAA=", "args": [], "platform": "ANY", "browserName": "firefox", "version": "", "proxy": {"proxyType": "MANUAL", "noProxy": null, "autodetect": false, "sslProxy": "localhost:42219", "httpProxy": "localhost:42219", "class": "org.openqa.selenium.Proxy", "ftpProxy": "localhost:42219"}, "marionette": false}} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/timeouts/implicit_wait {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "ms": 30000.0} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:root:Authenticate using webdriver http://example.com:3000/App/ DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/url {"url": "http://example.com:3000/App/", "sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:root:Automatically finding login fields DEBUG:root:** DEBUG:root:** DEBUG:root:** DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element {"using": "xpath", "sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "value": "(//input[(@type='text' and contains(@name,'ser')) or @type='text'])[1]"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element/{20ab6119-3c02-447f-b81c-6137ec3746eb}/clear {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "id": "{20ab6119-3c02-447f-b81c-6137ec3746eb}"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element/{20ab6119-3c02-447f-b81c-6137ec3746eb}/value {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "id": "{20ab6119-3c02-447f-b81c-6137ec3746eb}", "value": ["g", "o", "v", "i", "n", "d", ".", "g", "o", "p", "a", "l"]} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element {"using": "xpath", "sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "value": "//input[@type='password' or contains(@name,'ass')]"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element/{5bd7f23e-50be-4c88-b1d9-60404fbbda4f}/clear {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "id": "{5bd7f23e-50be-4c88-b1d9-60404fbbda4f}"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element/{5bd7f23e-50be-4c88-b1d9-60404fbbda4f}/value {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "id": "{5bd7f23e-50be-4c88-b1d9-60404fbbda4f}", "value": ["c", "h", "a", "n", "g", "e", "m", "e", "1", "2", "3"]} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element {"using": "xpath", "sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "value": "//*[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login' and (@type='submit' or @type='button')) or @type='submit' or @type='button']"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:selenium.webdriver.remote.remote_connection:POST http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/element/{48b7eda9-b3c9-4bdb-b6bd-465a0afd9747}/click {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803", "id": "{48b7eda9-b3c9-4bdb-b6bd-465a0afd9747}"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:root:Create an authenticated session DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/httpSessions/action/createEmptySession/?session=auth-session&apikey=&site=http%3A%2F%2Fexample.com%3A3000%2FApp%2F HTTP/1.1" 200 15 DEBUG:selenium.webdriver.remote.remote_connection:GET http://127.0.0.1:50752/hub/session/2363e47c-3580-4d9a-9a55-66a5b592d803/cookie {"sessionId": "2363e47c-3580-4d9a-9a55-66a5b592d803"} DEBUG:selenium.webdriver.remote.remote_connection:Finished Request DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/httpSessions/action/setSessionTokenValue/?apikey=&session=auth-session&tokenValue=SThkMWRYS2lubmNaaDlkWWlsWHJPYm1mb3pBVk40dW9tUmpWMUxKOXJrM3orT2RBZUJBL3hZTEQxWnZtZWx4ZTk2bzdyRE9ZTEFMS3VRQWZzN2RXb1JaZ3pEcTNsRDMvaVgzVGgrbllxZE5GeHE5dTN2YThuVkYvR3ZTN2ZxbHFZb0VOTHlkUW85UHZJRmJXS2R5WmNIMzhpclhaWVYxUFVTUXhoOG5BbEU0ZEVZbWpLczRGdGc2MWMrbUIrRnJvaW9ZeXV2a1lVMHovSmxqSGl1ZjNBQThJTStvNXBRVnV3U3I2UVVhUFFqeWRoSFYvSnVBdE5vYmdVQXFCaFlnNDczekV0WXlvTkhpSEF2WUVyTm1MWUVuV1lsK0FCREwveGdlZy9Qd1VBVnJCaU9PZ2JUNkdWNnNvWFhJY1YxRjYtLTFoVFE4UEY2S1AvWTkyT1NTWkFKSWc9PQ%253D%253D--6e3e590bb35d8750e37e4ec92755432ee1764f9c&site=http%3A%2F%2Fexample.com%3A3000%2FApp%2F&sessionToken=_App-App_sessions HTTP/1.1" 200 15 DEBUG:root:Cookie found: _App-App_sessions - Value: SThkMWRYS2lubmNaaDlkWWlsWHJPYm1mb3pBVk40dW9tUmpWMUxKOXJrM3orT2RBZUJBL3hZTEQxWnZtZWx4ZTk2bzdyRE9ZTEFMS3VRQWZzN2RXb1JaZ3pEcTNsRDMvaVgzVGgrbllxZE5GeHE5dTN2YThuVkYvR3ZTN2ZxbHFZb0VOTHlkUW85UHZJRmJXS2R5WmNIMzhpclhaWVYxUFVTUXhoOG5BbEU0ZEVZbWpLczRGdGc2MWMrbUIrRnJvaW9ZeXV2a1lVMHovSmxqSGl1ZjNBQThJTStvNXBRVnV3U3I2UVVhUFFqeWRoSFYvSnVBdE5vYmdVQXFCaFlnNDczekV0WXlvTkhpSEF2WUVyTm1MWUVuV1lsK0FCREwveGdlZy9Qd1VBVnJCaU9PZ2JUNkdWNnNvWFhJY1YxRjYtLTFoVFE4UEY2S1AvWTkyT1NTWkFKSWc9PQ%3D%3D--6e3e590bb35d8750e37e4ec92755432ee1764f9c DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/httpSessions/action/setActiveSession/?apikey=&session=auth-session&site=http%3A%2F%2Fexample.com%3A3000%2FApp%2F HTTP/1.1" 200 15 DEBUG:root:** DEBUG:root:*Session***** DEBUG:root:** DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/httpSessions/view/activeSession/?site=http%3A%2F%2Fexample.com%3A3000%2FApp%2F HTTP/1.1" 200 33 DEBUG:root:Active session: auth-session DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/httpSessions/view/sessionTokens/?site=http%3A%2F%2Fexample.com%3A3000%2FApp%2F HTTP/1.1" 200 40 DEBUG:root:Session token: ["_App-App_sessions"] DEBUG:root:** DEBUG:root:*Normal Spider***** DEBUG:root:** DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/context/view/contextList/ HTTP/1.1" 200 24 DEBUG:root:***["auth"] DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/action/scan/?url=http%3A%2F%2Fexample.com%3A3000%2FApp%2F&apikey=&recurse=True&contextName=auth HTTP/1.1" 200 12 DEBUG:root:*Normal Spider*** DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 11 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 34 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 75 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 93 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 95 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 95 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 15 DEBUG:root:Spider progress %: 96 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/spider/view/status/?scanId=0 HTTP/1.1" 200 16 DEBUG:root:Spider complete DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 7092 https://aus5.mozilla.org https://aus5.mozilla.org/update https://aus5.mozilla.org/update/3 https://aus5.mozilla.org/update/3/GMP https://aus5.mozilla.org/update/3/GMP/46.0 https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000 https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3 https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3/en-US https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3/en-US/release https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3/en-US/release/Linux%204.4.0-102-generic%20(GTK%203.22.30,libpulse%2011.1.0) https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3/en-US/release/Linux%204.4.0-102-generic%20(GTK%203.22.30,libpulse%2011.1.0)/default https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3/en-US/release/Linux%204.4.0-102-generic%20(GTK%203.22.30,libpulse%2011.1.0)/default/default https://aus5.mozilla.org/update/3/GMP/46.0/20160421124000/Linux_x86_64-gcc3/en-US/release/Linux%204.4.0-102-generic%20(GTK%203.22.30%2Clibpulse%2011.1.0)/default/default/update.xml https://shavar.services.mozilla.com https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=46.0&pver=2.2 http://example.com:3000 http://example.com:3000/App http://example.com:3000/App/assets http://example.com:3000/App/assets/application.self-b45560328a7cfbbf0e6d1a697a48ef3b4ae05d0e1c83bef26b8668bab329d821.js?body=1 http://example.com:3000/App/assets/application.self-e006d475d6ffac96ffa76bbb9822f738b4f33b0ba9d773f5164ca0e748f255ef.css?body=1 http://example.com:3000/App/assets/attendance_history.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/attendance_history.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/assets/bootstrap.min.self-504d59678f10d79a661b6cecdce5b8c1d5bfd98e860614584c0a40399552d61f.js?body=1 http://example.com:3000/App/assets/bootstrap.min.self-8e2df4de11169459300f2b436f3abcdc65838f12132122db7f5380eaf43e1336.css?body=1 http://example.com:3000/App/assets/conference.self-921b7614a791a27ac016169b6326842d2caba07148c658922c17eef97add9bd4.js?body=1 http://example.com:3000/App/assets/conference_attendence_histories.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/conference_attendence_histories.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/assets/dashboard.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/dashboard.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/assets/font-awesome.self-041517b423bef19eb83ea8e5f19def0cc201aef8d95e00437ab5ce8cb0b15158.css?body=1 http://example.com:3000/App/assets/fontawesome-webfont-2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe.woff2 http://example.com:3000/App/assets/images http://example.com:3000/App/assets/images/cancel.png http://example.com:3000/App/assets/images/details_open.png http://example.com:3000/App/assets/images/sort_asc.png http://example.com:3000/App/assets/images/sort_both.png http://example.com:3000/App/assets/images/update.png http://example.com:3000/App/assets/images/workflow.png http://example.com:3000/App/assets/jquery.1dataTables.min.self-29aadd584b8bcb1133197591de39b62922fc98ec0e1969f55d4cef1fa47bec76.js?body=1 http://example.com:3000/App/assets/jquery.1dataTables.min.self-7f6b4189782400148d910f00643bcb5aeafdd05656a9b267b4444ddf7f9e886d.css?body=1 http://example.com:3000/App/assets/jquery.2dataTables.buttons.min.self-346a1cf0035743862348e9d6b8703c153966e98fe523b2efea257256c9032ecb.js?body=1 http://example.com:3000/App/assets/jquery.3datatable.pdf.min.self-dd1912a95462b84a0130071d0a25b8a0e2e319d847aa284f3c340ebcc50c57d6.js?body=1 http://example.com:3000/App/assets/jquery.3datatable.print.min.self-5cf40aa1a69063798764e5019279283e180a23ee74b824c0e7dfb39e97640050.js?body=1 http://example.com:3000/App/assets/jquery.4datatable.pdffont.min.self-45d28254ee895958c298fb5205ba3f360643dea82e7f82dc1088a4fb3a29a0e8.js?body=1 http://example.com:3000/App/assets/jquery.datatable.button.min.self-d5086a5a45fefdad773ef7071aed5e7fa729cc1d9f4c2d4041228ed7f08d97ba.css?body=1 http://example.com:3000/App/assets/jquery.datatable.buttons.html5.min.self-cc1aaa0dca4ff7796641985eb144c239f41463109c07af385fc41e2ac7440a97.js?body=1 http://example.com:3000/App/assets/jquery.datatable.jszip.min.self-f8b9c5100d1d5b6a84317f6f0848fcedbc9dccb44074e7a080c9c76082403bc0.js?body=1 http://example.com:3000/App/assets/jquery.dataTables.zcolReorder.self-db53fceb02b9b66f35738d213f8f4a6eb5794f10baae1925dccfec2beb4b00e3.js?body=1 http://example.com:3000/App/assets/jquery.self-bd7ddd393353a8d2480a622e80342adf488fb6006d667e8b42e4c0073393abee.js?body=1 http://example.com:3000/App/assets/jquery_ujs.self-784a997f6726036b1993eb2217c9cb558e1cbb801c6da88105588c56f13b466a.js?body=1 http://example.com:3000/App/assets/printThis.self-9c988d152a74085a8f11cc9fd26c497315de84888945c2fc6a7cc92e4703a40d.js?body=1 http://example.com:3000/App/assets/reports.self-d99b11537c9b34d20b6b968ba60339edcce65de7d2e4428776fbb81036cec150.js?body=1 http://example.com:3000/App/assets/reports.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/assets/App_area_budget.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/App_area_budget.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/assets/selectize.bootstrap3.min.self-89cf0a60ee4d21290800c5e6b68b2faccaa650c97977fbb25d9dc32106273468.css?body=1 http://example.com:3000/App/assets/selectize.min.self-7544b89facd65ea630e754a74b078c438d501ca395b2c2a2aab2248e3de2a992.js?body=1 http://example.com:3000/App/assets/starburst http://example.com:3000/App/assets/starburst/starburst.self-449fcacdf21a18b29acc221a6c75687a29f6cdcd395ed89331b3d990ee26a68e.js?body=1 http://example.com:3000/App/assets/travel_request.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/travel_request.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/assets/workflow_comments.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/workflow_comments.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://example.com:3000/App/users http://example.com:3000/App/users/sign_in http://example.com:3000/App/ DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21 DEBUG:root:Records to scan... DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/pscan/view/recordsToScan/ HTTP/1.1" 200 21 DEBUG:root:Passive scanning complete DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 7092 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 7092 Total of 66 URLs DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/core/view/alerts/?count=100&start=0 HTTP/1.1" 200 872112 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/core/view/alerts/?count=100&start=100 HTTP/1.1" 200 13 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/pscan/view/scanners/ HTTP/1.1" 200 3210 PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: X-Frame-Options Header Scanner [10020] PASS: Information Disclosure - Debug Error Messages [10023] PASS: Information Disclosure - Sensitive Information in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Viewstate Scanner [10032] PASS: Secure Pages Include Mixed Content [10040] PASS: CSP Scanner [10055] PASS: Weak Authentication Method [10105] PASS: Absence of Anti-CSRF Tokens [10202] PASS: Session ID in URL Rewrite [3] PASS: Script Passive Scan Rules [50001] PASS: Insecure JSF ViewState [90001] PASS: Charset Mismatch [90011] PASS: WSDL File Passive Scanner [90030] PASS: Loosely Scoped Cookie [90033] WARN: Web Browser XSS Protection Not Enabled [10016] x 4 http://example.com:3000/App/assets http://example.com:3000/App/assets/images http://example.com:3000/App/assets/starburst http://example.com:3000/App/users WARN: Content-Type Header Missing [10019] x 1 http://example.com:3000/App/assets/fontawesome-webfont-2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe.woff2 WARN: X-Content-Type-Options Header Missing [10021] x 30 http://example.com:3000/App/assets/jquery.dataTables.zcolReorder.self-db53fceb02b9b66f35738d213f8f4a6eb5794f10baae1925dccfec2beb4b00e3.js?body=1 http://example.com:3000/App/assets/jquery.2dataTables.buttons.min.self-346a1cf0035743862348e9d6b8703c153966e98fe523b2efea257256c9032ecb.js?body=1 http://example.com:3000/App/assets/dashboard.self-19a187bec6cdb96d6de80a61c16c857c613536adf9138476bd367db38d282635.js?body=1 http://example.com:3000/App/assets/jquery.1dataTables.min.self-29aadd584b8bcb1133197591de39b62922fc98ec0e1969f55d4cef1fa47bec76.js?body=1 http://example.com:3000/App/assets/conference.self-921b7614a791a27ac016169b6326842d2caba07148c658922c17eef97add9bd4.js?body=1 WARN: Information Disclosure - Suspicious Comments [10027] x 14 http://example.com:3000/App/assets/jquery.dataTables.zcolReorder.self-db53fceb02b9b66f35738d213f8f4a6eb5794f10baae1925dccfec2beb4b00e3.js?body=1 http://example.com:3000/App/assets/jquery.1dataTables.min.self-29aadd584b8bcb1133197591de39b62922fc98ec0e1969f55d4cef1fa47bec76.js?body=1 http://example.com:3000/App/assets/jquery_ujs.self-784a997f6726036b1993eb2217c9cb558e1cbb801c6da88105588c56f13b466a.js?body=1 http://example.com:3000/App/assets/jquery.3datatable.pdf.min.self-dd1912a95462b84a0130071d0a25b8a0e2e319d847aa284f3c340ebcc50c57d6.js?body=1 http://example.com:3000/App/assets/jquery.4datatable.pdffont.min.self-45d28254ee895958c298fb5205ba3f360643dea82e7f82dc1088a4fb3a29a0e8.js?body=1 WARN: Private IP Disclosure [2] x 4 http://example.com:3000/App/assets http://example.com:3000/App/assets/images http://example.com:3000/App/assets/starburst http://example.com:3000/App/users WARN: Application Error Disclosure [90022] x 1 http://example.com:3000/App/assets/jquery.3datatable.pdf.min.self-dd1912a95462b84a0130071d0a25b8a0e2e319d847aa284f3c340ebcc50c57d6.js?body=1 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/OTHER/core/other/htmlreport/?apikey= HTTP/1.1" 200 61435 FAIL: 0 WARN: 6 INFO: 0 IGNORE: 0 PASS: 20 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:42219 DEBUG:urllib3.connectionpool:http://localhost:42219 "GET http://zap/JSON/core/action/shutdown/?apikey= HTTP/1.1" 200 15 `

my http://example.com:3000/myApp have many links post login which spider should use like http://example.com:3000/myApp/myPage1 http://example.com:3000/myApp/myPage2 http://example.com:3000/myApp/myPage3/abc but neither spider nor active scan is reaching to those links. I have verified by putting few debug message spider is using the same session but still its not going through.. same you can see in the logs.

Thanks

[dicksnel]

Hi @mantri-govind, thank for the info. Is the cookie named "_App-App_sessions" the only cookie required to get a valid session? Or does the application require any additional cookies or HTTP headers containing session related tokens?

[mantri-govind]

Yes @dicksnel that's the only thing which is needed.

[mantri-govind]

@dicksnel Any idea why it is acting like this.. even I have tried same on UI as well its happening the same in GUI as well..

[dicksnel]

Hi, I'm trying to replicate the issue and will get back to you.

[dicksnel]

Hi, this issue is now fixed in the master branch. Please try a new scan and use the example shown in the README.