iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
563 stars 178 forks source link

java.lang.RuntimeException: No HTTP requests-responses recorded - in iriusrisk-cwe-693-clickjack #109

Open AbhiAuto opened 3 years ago

AbhiAuto commented 3 years ago

Hi Team,

I am getting the below error while running the below scenario for a sample application. While debugging some time its working, but not always. Please let me know the solution to fix this.

@iriusrisk-cwe-693-clickjack Scenario: Restrict other sites from placing it in an iframe in order to prevent ClickJacking attacks

[RemoteTestNG] detected TestNG version 6.14.3 SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/D:/Repo/.m2/org/slf4j/slf4j-simple/1.7.10/slf4j-simple-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/D:/Repo/.m2/org/apache/logging/log4j/log4j-slf4j-impl/2.11.0/log4j-slf4j-impl-2.11.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/D:/Repo/.m2/org/slf4j/slf4j-nop/1.7.10/slf4j-nop-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory] Starting ChromeDriver 89.0.4389.23 (61b08ee2c50024bab004e48d2b1b083cdbdac579-refs/branch-heads/4389@{#294}) on port 30224 Only local connections are allowed. Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe. ChromeDriver was started successfully. Apr 28, 2021 10:55:06 AM org.openqa.selenium.remote.ProtocolHandshake createSession INFO: Detected dialect: W3C Apr 28, 2021 10:55:07 AM org.openqa.selenium.remote.DesiredCapabilities chrome INFO: Using new ChromeOptions() is preferred to DesiredCapabilities.chrome() Apr 28, 2021 10:55:07 AM net.continuumsecurity.scanner.ZapManager startZAP INFO: Setting upstream proxy for ZAP to: 165.225.106.40:9400 Apr 28, 2021 10:55:07 AM net.continuumsecurity.scanner.ZapManager startZAP INFO: Start ZAProxy [\src\main\resources\Security\ZAP_2.6.0\zap.bat] on port: 65508 Apr 28, 2021 10:55:08 AM net.continuumsecurity.scanner.ZapManager waitForSuccessfulConnectionToZap INFO: Attempting to connect to ZAP API on: 127.0.0.1 port: 65508

\src\main\resources\Security\ZAP_2.6.0>if exist "OWASP ZAP.ZAP_JVM.properties" (set /p jvmopts= 0<"OWASP ZAP.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )

\src\main\resources\Security\ZAP_2.6.0>java -Xmx512m -jar zap-2.6.0.jar -daemon -host 127.0.0.1 -port 65508 -dir tmp -config scanner.threadPerHost=20 -config spider.thread=10 -config api.key=zapapisecret -config connection.proxyChain.hostName=165.225.106.40 -config connection.proxyChain.port=9400 -config connection.proxyChain.enabled=true 0 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP 2.6.0 started 28/04/21 10:55:09 29 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config scanner.threadPerHost = 20 was 20 29 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.thread = 10 was 10 30 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.key = zapapisecret was zapapisecret 30 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config connection.proxyChain.hostName = 165.225.106.40 was 165.225.106.40 30 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config connection.proxyChain.port = 9400 was 9400 30 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config connection.proxyChain.enabled = true was true 31 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols... 31 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine... 45 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] 54 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled. 236 [main] INFO hsqldb.db..ENGINE - open start - state not modified 383 [main] INFO hsqldb.db..ENGINE - dataFileCache open start 410 [main] INFO hsqldb.db..ENGINE - dataFileCache open end 448 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions 912 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, fileVersion=4], [id=ascanrules, fileVersion=26], [id=ascanrulesAlpha, fileVersion=19], [id=ascanrulesBeta, fileVersion=21], [id=bruteforce, fileVersion=6], [id=coreLang, fileVersion=11], [id=diff, fileVersion=7], [id=directorylistv1, fileVersion=3], [id=fuzz, fileVersion=8, version=2.0.1], [id=gettingStarted, fileVersion=6], [id=help, fileVersion=7], [id=invoke, fileVersion=6], [id=jxbrowser, fileVersion=2], [id=jxbrowserlinux32, fileVersion=1], [id=jxbrowserlinux64, fileVersion=1], [id=jxbrowsermacos, fileVersion=1], [id=jxbrowserwindows, fileVersion=1], [id=onlineMenu, fileVersion=5], [id=pscanrules, fileVersion=19], [id=pscanrulesBeta, fileVersion=16], [id=quickstart, fileVersion=19], [id=replacer, fileVersion=2], [id=reveal, fileVersion=2], [id=saverawmessage, fileVersion=3], [id=scripts, fileVersion=18], [id=selenium, fileVersion=10, version=1.1.0], [id=spiderAjax, fileVersion=17], [id=sqliplugin, fileVersion=11], [id=tips, fileVersion=6], [id=webdriverlinux, fileVersion=2], [id=webdrivermacos, fileVersion=2], [id=webdriverwindows, fileVersion=2], [id=websocket, fileVersion=12], [id=zest, fileVersion=23]] 1132 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded 1244 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Change user agent to other browsers. 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Detect insecure or potentially malicious content in HTTP responses. 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Detect and alert 'Set-cookie' attempt in HTTP response for modification. 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Avoid browser cache (strip off IfModifiedSince) 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log cookies sent by browser. 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log unique GET queries into file:filter\get.xls 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log unique POST queries into file: filter\post.xls 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log request and response into file: filter\message.txt 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP request body using defined pattern. 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP request header using defined pattern. 1245 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP response body using defined pattern. 1246 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP response header using defined pattern. 1246 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Send ZAP session request ID 1409 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates 1412 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionViewOption 1412 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionEdit 1412 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionFilter 1412 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP 1431 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionState 1431 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReport 1431 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHistory 1432 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields 1433 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions 1433 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash... 1434 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses 1434 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Web Browser XSS Protection Not Enabled 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content 1474 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Password Autocomplete in Browser 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Informations in URL 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState 1475 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override 1476 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner 1485 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts 1485 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added 1489 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site 1493 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks 1493 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool 1494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionManualRequest 1494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences 1494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters 1494 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens 1495 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAuthentication 1503 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication] 1504 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser 1514 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only 1514 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionUserManagement 1515 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies 1516 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration 1521 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages 1521 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionForcedUser 1521 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions 1522 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools 1622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff 1622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionRequestPostTableView 1622 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSessionManagement 1623 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management] 1623 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelRequestFormTableView 1624 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints. 1626 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality. 1626 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAuthorization 1626 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax 1627 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs 1627 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree 1627 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus. 1627 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide 1627 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites Apr 28, 2021 10:55:11 AM net.continuumsecurity.scanner.ZapManager waitForSuccessfulConnectionToZap INFO: Attempting to connect to ZAP API on: 127.0.0.1 port: 65508 1846 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts 1846 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelComponentonentAll 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelHexView 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelImageView 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelLargeRequestView 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelLargeResponseView 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelRequestQueryCookieTableView 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelSyntaxHighlightTextView 1847 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration 1848 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics 1848 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats 1849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter 1849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules 1849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - alpha 1849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta 1849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files 1849 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations. 1850 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages. 1850 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide 1850 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowser 1850 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowserLinux32 1850 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtSelJxBrowserLinux32 1850 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowserLinux64 1851 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtSelJxBrowserLinux64 1851 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowserMaxOS 1851 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtSelJxBrowserMacOs 1851 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowserWindows 1851 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtSelJxBrowserWindows 1856 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links 1856 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules 1856 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta 1856 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start panel 1857 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses 1857 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage 1857 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser. 1858 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Helper extension for Advanced SQL Injection scanner. 1858 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks 1858 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages. 1859 [ZAP-daemon] WARN org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - This ZAP installation is over a year old - its probably very out of date 1889 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:65511 1995 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 127.0.0.1:65508 Apr 28, 2021 10:55:11 AM net.continuumsecurity.scanner.ZapManager waitForSuccessfulConnectionToZap INFO: Connected to ZAP Starting ChromeDriver 89.0.4389.23 (61b08ee2c50024bab004e48d2b1b083cdbdac579-refs/branch-heads/4389@{#294}) on port 19296 Only local connections are allowed. Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe. ChromeDriver was started successfully. Apr 28, 2021 10:55:13 AM org.openqa.selenium.remote.ProtocolHandshake createSession INFO: Detected dialect: W3C 15074 [ZAP-ProxyThread-8] INFO org.parosproxy.paros.control.Control - Discard Session 16333 [ZAP-ProxyThread-8] INFO org.parosproxy.paros.control.Control - New Session 16333 [ZAP-ProxyThread-8] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db 16389 [ZAP-ProxyThread-8] INFO hsqldb.db..ENGINE - dataFileCache commit start 16410 [ZAP-ProxyThread-8] INFO hsqldb.db..ENGINE - dataFileCache commit end 16470 [ZAP-ProxyThread-8] INFO hsqldb.db..ENGINE - Database closed 16594 [ZAP-ProxyThread-8] INFO hsqldb.db..ENGINE - open start - state not modified 16655 [ZAP-ProxyThread-8] INFO hsqldb.db..ENGINE - dataFileCache open start 16677 [ZAP-ProxyThread-8] INFO hsqldb.db..ENGINE - dataFileCache open end @http_headers Feature: Security settings on HTTP headers Verify that HTTP headers adequately protect data from attackers

Background: # Features/BDDSecurity/http_headers.feature:5 Given a new browser or client instance # WebApplicationSteps.createAppForAnyClient() When the following URLs are visited and their HTTP responses recorded # WebApplicationSteps.accessSecureBaseUrlAndRecordHTTPResponse(String>) java.lang.RuntimeException: No HTTP requests-responses recorded at com.scripted.securitystepdefs.WebApplicationSteps.recordFirstHarEntry(WebApplicationSteps.java:521) at com.scripted.securitystepdefs.WebApplicationSteps.accessSecureBaseUrlAndRecordHTTPResponse(WebApplicationSteps.java:559) at ?.the following URLs are visited and their HTTP responses recorded(file:Features/BDDSecurity/http_headers.feature:7)

@http_headers @iriusrisk-cwe-693-clickjack Scenario: Restrict other sites from placing it in an iframe in order to prevent ClickJacking attacks # Features/BDDSecurity/http_headers.feature:11 Then the X-Frame-Options header is either SAMEORIGIN or DENY # WebApplicationSteps.checkIfXFrameOptionsHeaderIsSet(String,String) FAILED: runScenario("Restrict other sites from placing it in an iframe in order to prevent ClickJacking attacks", "Security settings on HTTP headers") Runs Cucumber Scenarios java.lang.RuntimeException: No HTTP requests-responses recorded at com.scripted.securitystepdefs.WebApplicationSteps.recordFirstHarEntry(WebApplicationSteps.java:521) at com.scripted.securitystepdefs.WebApplicationSteps.accessSecureBaseUrlAndRecordHTTPResponse(WebApplicationSteps.java:559) at ?.the following URLs are visited and their HTTP responses recorded(file:Features/BDDSecurity/http_headers.feature:7)

=============================================== Default test Tests run: 1, Failures: 1, Skips: 0

Apr 28, 2021 10:56:08 AM net.continuumsecurity.scanner.ZapManager stopZap INFO: Stopping ZAP 60619 [Thread-5] INFO hsqldb.db..ENGINE - dataFileCache commit start 60667 [Thread-5] INFO hsqldb.db..ENGINE - dataFileCache commit end 60747 [Thread-5] INFO hsqldb.db..ENGINE - Database closed 60855 [Thread-5] INFO org.zaproxy.zap.extension.api.CoreAPI - OWASP ZAP 2.6.0 terminated.

=============================================== Default suite Total tests run: 1, Failures: 1, Skips: 0