search

iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
559 stars 178 forks source link

error in xss_scan #30

Closed akshay1991raj closed 8 years ago

akshay1991raj commented 8 years ago

I am getting "invalid port number" error after running id xss_scan in app_scan.story. Following is a snapshot of my terminal:-

[java] 18:22:45,636 DEBUG [net.continuumsecurity.steps.AppScanningSteps] - Scan is 0% complete. [java] 18:22:47,645 DEBUG [net.continuumsecurity.steps.AppScanningSteps] - Scan is 0% complete. [java] 67790 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2 - invalid port number [java] org.apache.commons.httpclient.URIException: invalid port number [java] at org.apache.commons.httpclient.URI.parseAuthority(URI.java:2248) [java] at org.apache.commons.httpclient.URI.parseUriReference(URI.java:1978) [java] at org.apache.commons.httpclient.URI.(URI.java:167) [java] at org.apache.commons.httpclient.URI.(URI.java:455) [java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.scan(TestCrossSiteScriptV2.java:127) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source) [java] at java.lang.Thread.run(Thread.java:745)

Please mention how to resolve this.

iriusrisk commented 8 years ago

The error comes from the ZAP cross site scripting plugin, so the first thing to try is to run ZAP standalone and navigate the application manually with a browser, then perform a ZAP scan and see whether you get the same error.

You could also try to disable the XSS test in bdd-security by adding the @skip meta tag to the scenario and see whether the other ZAP scenarios work ok.