Closed GoogleCodeExporter closed 9 years ago
Could you confirm that the file was created?
The "/xml" at the end of the path is correct?
Original comment by THC...@gmail.com
on 11 Oct 2011 at 6:03
I also ran into this issue. I was able to duplicate it in windows and in
different linux distros (Centos 6, Bactrack 5r1, Ubuntu 10.04,11.04, Debian 6),
using the Moth VM from Bonsai InformationSecurity.
I spider and then I scan with all options on. The log shows that the scanner
finished ok. I try to save and I get the error message in my browser. No neww
entry appears in the log.
A friend of mine was able to make it work by disabling the "parameter
tampering" option in the injection policy module. I tested zap without that
option and everything worked. I then scanned with only the "parameter
tampering" option and I wasn't able to create a report.
I hope this can help in finding out what the problem is.
Original comment by jrs.pie...@gmail.com
on 25 Oct 2011 at 5:14
Steps to reproduce the problem with moth:
- Run ZAP.
- Access the URL: http://<moth-ip-address>/w3af/audit/preg_replace/preg_section_regex.php?search=
- Start the active scan on <moth-ip-address> with the option "Parameter tampering" enabled
- Generate a report.
Exception when choosing the option to generate a report:
org.xml.sax.SAXParseException: An invalid XML character (Unicode: 0x0) was
found in the element content of the document.
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at org.parosproxy.paros.extension.report.ReportGenerator.stringToHtml(ReportGenerator.java:65)
at org.parosproxy.paros.extension.report.ReportLastScan.generate(ReportLastScan.java:144)
at org.parosproxy.paros.extension.report.ReportLastScan.generateHtml(ReportLastScan.java:186)
at org.parosproxy.paros.extension.report.ExtensionReport$1.actionPerformed(ExtensionReport.java:93)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.AbstractButton.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
...
at java.awt.EventDispatchThread.run(Unknown Source)
Original comment by THC...@gmail.com
on 26 Oct 2011 at 1:55
Original comment by THC...@gmail.com
on 26 Oct 2011 at 1:57
For a fix, how about enhancing ReportGenerator.entityEncode to encode null
characters as something safe, like %00
Maybe we should do that for all non standard chrs?
Original comment by psii...@gmail.com
on 3 Nov 2011 at 4:44
In the "Alerts" tab, when you choose an alert from "Parameter tampering", that
has a "NULL" character, the "Parameter:" field shows "param= ". The empty space
is the "NULL" character, but it's not visible.
You have to look into the URI, in the "Alerts" tree, to see the character (it
is encoded).
Apart of that I see no problem in encoding the characters in
ReportGenerator.entityEncode, at least to prevent this issue.
Original comment by THC...@gmail.com
on 3 Nov 2011 at 7:49
Thought we could use someting sensible, like:
StringEscapeUtils.escapeXml(str);
but it turns out this just stops outputting a null chr:(
So the best option might be to still use it but to first replace nulls with %00
I'll implement that.
Original comment by psii...@gmail.com
on 4 Nov 2011 at 1:49
Original comment by psii...@gmail.com
on 4 Nov 2011 at 1:52
Original comment by psii...@gmail.com
on 4 Nov 2011 at 7:07
Original comment by psii...@gmail.com
on 8 Apr 2012 at 1:19
Original issue reported on code.google.com by
agsherlo...@gmail.com
on 11 Oct 2011 at 1:34