I have an application where the "passive scan" via OWASP ZAP has identified a potential issue.
However, none of the reports (Cucumber, build/zap/passive.xml, etc.) have details that show what the payload was in the request, and what the response body was.
E.g. from passive.xml:
<alertitem>
<pluginid>10023</pluginid>
<alert>Information Disclosure - Debug Error Messages</alert>
<name>Information Disclosure - Debug Error Messages</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.</p></desc>
<instances>
<instance>
<uri>https://domain/page.html</uri>
<evidence>Internal server error</evidence>
</instance>
</alertitem>
I took a quick look at the ZAP API and didn't see an option to enable saving the session.
I see there is a zap/tmp/session folder that has some data files, but no ".session" files that ZAP would use to open via the GUI. I tried opening the ".data" file and the creating a mock ".session" file, but ZAP was complained about errors in both cases.
Hello,
I have an application where the "passive scan" via OWASP ZAP has identified a potential issue.
However, none of the reports (Cucumber, build/zap/passive.xml, etc.) have details that show what the payload was in the request, and what the response body was.
E.g. from passive.xml:
I took a quick look at the ZAP API and didn't see an option to enable saving the session.
I see there is a zap/tmp/session folder that has some data files, but no ".session" files that ZAP would use to open via the GUI. I tried opening the ".data" file and the creating a mock ".session" file, but ZAP was complained about errors in both cases.
What are our options?
Thanks!