how to see the output of scan_xss

[akshay1991raj]

Whenever i run the "id scan_xss" in app_scan.story from terminal, instead of getting the status of which XSS attacks worked and for which field, i am getting a number of outputs in my terminal as follows:

X-Frame-Options Header Not Set [java] URL: [ some url in the website scanned ] [java] Parameter: [java] CWE-ID: 0 [java] WASC-ID: 0

I want to know how to see the list of all xss scripts that are working and where and also, if and how can we set for which fields, xss attacks should be tried.

[iriusrisk]

The full details are in the report: ./reports/latest/view/reports.html then click on the html link to the story you'd like to view. XML results from ZAP are in ./reports/zap/*.xml

[akshay1991raj]

My passive scanner runs and gives me all the X-Frame-Options-Header Not Set vulnerabilities present in my website which happens to have a lot of XSS vulnerabilities. But then the "id scan_xss" runs and i could not find any xss vulnerabilities present after the scan.

Is it that we have to manually specify the fields where xss attack tests are supposed to take place?? Or is there any other way?

[iriusrisk]

Which branch of the code are you using? and are you using the built-in zap or your own downloaded version? If the latter, which version?

[akshay1991raj]

i am using built in zap and i am trying to run "id scan_xss" in app_scan.story

[iriusrisk]

and which branch of the bdd-security code?

[akshay1991raj]

@continuumsecurity master

[iriusrisk]

Make sure that the "navigate" method in the Java class submits all forms in your application. Check the navigate method in the RopeyTasksApplication.java for an example of how to do this. To more easily generate the Selenium steps in that method, you could try the Selenium IDE firefox plugin, to record the form submission and navigation steps. ZAP will only scan the traffic it sees, so if you haven't visited the URLs or submitted the forms in the navigate method, then it won't scan them.