search

iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
559 stars 177 forks source link

Unable to perform app_Scan on http://testphp.vulnweb.com/ #85

Open BilalK-Continuum opened 6 years ago

BilalK-Continuum commented 6 years ago

Hi, app_scan feature is running more than 1 hours and still running infinite time. I'm testing this on mentioned URL "http://testphp.vulnweb.com/".

Create sample class file for app scan and same has been updated in Config.xml as per documentation. https://github.com/continuumsecurity/bdd-security/wiki/3-Configuration Section : Scan with OWASP ZAP

Also while going through the zap log file, observed that it's scanning also other URL's that is not mentioned in baseURL.

Below is my zap.log file including config.xml and MyComplexApp.java

Config.XML

<?xml version="1.0" encoding="ISO-8859-1" ?>

Chrome http://testphp.vulnweb.com/ net.continuumsecurity.MyComplexApp /opt/sslyze/sslyze_cli.py login test test .*logout.* baseUrl SDFsdfwjx1 bobbles admin admin zap/zap.bat

net\continuumsecurity\MyComplexApp.java

package net.continuumsecurity; import org.openqa.selenium.By; import net.continuumsecurity.behaviour.INavigable; import net.continuumsecurity.web.WebApplication; public class MyComplexApp extends WebApplication implements INavigable { public void navigate() { driver.get(Config.getInstance().getBaseUrl() + "login.php" ); UserPassCredentials creds = new UserPassCredentials(Config.getInstance().getDefaultCredentials()); driver.findElement(By.name("uname")).clear();
driver.findElement(By.name("uname")).sendKeys(creds.getUsername()); driver.findElement(By.name("pass")).clear(); driver.findElement(By.name("pass")).sendKeys(creds.getPassword()); driver.findElement(By.xpath("//*[@id=\"content\"]/div[1]/form/table/tbody/tr[3]/td/input")).click();
//Click on the "tasks" link //findAndWaitForElement(By.linkText("Tasks")).click();
//Enter a search query //driver.findElement(By.id("q")).clear(); //driver.findElement(By.id("q")).sendKeys("test"); //driver.findElement(By.id("search")).click(); } }

zap log

2018-02-24 21:48:49,167 [main ] INFO DaemonBootstrap - OWASP ZAP 2.6.0 started 24/02/18 21:48:49 2018-02-24 21:48:49,183 [main ] INFO AbstractParam - Setting config scanner.threadPerHost = 20 was 20 2018-02-24 21:48:49,183 [main ] INFO AbstractParam - Setting config spider.thread = 10 was 10 2018-02-24 21:48:49,183 [main ] INFO AbstractParam - Setting config api.key = zapapisecret was zapapisecret 2018-02-24 21:48:49,183 [main ] INFO AbstractParam - Setting config connection.proxyChain.hostName = was 2018-02-24 21:48:49,183 [main ] INFO AbstractParam - Setting config connection.proxyChain.port = 80 was 80 2018-02-24 21:48:49,183 [main ] INFO AbstractParam - Setting config connection.proxyChain.enabled = true was false 2018-02-24 21:48:49,183 [main ] INFO SSLConnector - Reading supported SSL/TLS protocols... 2018-02-24 21:48:49,183 [main ] INFO SSLConnector - Using a SSLEngine... 2018-02-24 21:48:49,214 [main ] INFO SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] 2018-02-24 21:48:49,214 [main ] INFO OptionsParamCertificate - Unsafe SSL renegotiation disabled. 2018-02-24 21:48:49,417 [main ] INFO ENGINE - open start - state not modified 2018-02-24 21:48:49,511 [main ] INFO ENGINE - dataFileCache open start 2018-02-24 21:48:49,542 [main ] INFO ENGINE - dataFileCache open end 2018-02-24 21:48:49,574 [ZAP-daemon] INFO ExtensionFactory - Loading extensions 2018-02-24 21:48:50,120 [ZAP-daemon] INFO ExtensionFactory - Installed add-ons: [[id=alertFilters, fileVersion=4], [id=ascanrules, fileVersion=26], [id=ascanrulesAlpha, fileVersion=19], [id=ascanrulesBeta, fileVersion=21], [id=bruteforce, fileVersion=6], [id=coreLang, fileVersion=11], [id=diff, fileVersion=7], [id=directorylistv1, fileVersion=3], [id=fuzz, fileVersion=8, version=2.0.1], [id=gettingStarted, fileVersion=6], [id=help, fileVersion=7], [id=invoke, fileVersion=6], [id=jxbrowser, fileVersion=2], [id=jxbrowserlinux32, fileVersion=1], [id=jxbrowserlinux64, fileVersion=1], [id=jxbrowsermacos, fileVersion=1], [id=jxbrowserwindows, fileVersion=1], [id=onlineMenu, fileVersion=5], [id=pscanrules, fileVersion=19], [id=pscanrulesBeta, fileVersion=16], [id=quickstart, fileVersion=19], [id=replacer, fileVersion=2], [id=reveal, fileVersion=2], [id=saverawmessage, fileVersion=3], [id=scripts, fileVersion=18], [id=selenium, fileVersion=10, version=1.1.0], [id=spiderAjax, fileVersion=17], [id=sqliplugin, fileVersion=11], [id=tips, fileVersion=6], [id=webdriverlinux, fileVersion=2], [id=webdrivermacos, fileVersion=2], [id=webdriverwindows, fileVersion=2], [id=websocket, fileVersion=12], [id=zest, fileVersion=23]] 2018-02-24 21:48:50,370 [ZAP-daemon] INFO ExtensionFactory - Extensions loaded 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Change user agent to other browsers. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Detect insecure or potentially malicious content in HTTP responses. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Detect and alert 'Set-cookie' attempt in HTTP response for modification. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Avoid browser cache (strip off IfModifiedSince) 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Log cookies sent by browser. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Log unique GET queries into file:filter\get.xls 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Log unique POST queries into file: filter\post.xls 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Log request and response into file: filter\message.txt 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Replace HTTP request body using defined pattern. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Replace HTTP request header using defined pattern. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Replace HTTP response body using defined pattern. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Replace HTTP response header using defined pattern. 2018-02-24 21:48:50,496 [ZAP-daemon] INFO FilterFactory - loaded filter Send ZAP session request ID 2018-02-24 21:48:50,589 [ZAP-daemon] INFO ExtensionLoader - Initializing Allows ZAP to check for updates 2018-02-24 21:48:50,589 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionViewOption 2018-02-24 21:48:50,589 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionEdit 2018-02-24 21:48:50,589 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionFilter 2018-02-24 21:48:50,589 [ZAP-daemon] INFO ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionState 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionReport 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHistory 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing Show hidden fields and enable disabled fields 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing Search messages for strings and regular expressions 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing Encode/Decode/Hash... 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing Allows you to intercept and modify requests and responses 2018-02-24 21:48:50,605 [ZAP-daemon] INFO ExtensionLoader - Initializing Passive scanner 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Web Browser XSS Protection Not Enabled 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Password Autocomplete in Browser 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Informations in URL 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override 2018-02-24 21:48:50,667 [ZAP-daemon] INFO ExtensionPassiveScan - loaded passive scan rule: Viewstate Scanner 2018-02-24 21:48:50,683 [ZAP-daemon] INFO ExtensionLoader - Initializing Allows you to view and manage alerts 2018-02-24 21:48:50,683 [ZAP-daemon] INFO ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing Spider used for automatically finding URIs on a site 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionManualRequest 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens 2018-02-24 21:48:50,699 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionAuthentication 2018-02-24 21:48:50,714 [ZAP-daemon] INFO ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication] 2018-02-24 21:48:50,714 [ZAP-daemon] INFO ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing Logs errors to the Output tab in development mode only 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionUserManagement 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing Script integration 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionForcedUser 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing Extension handling HTTP sessions 2018-02-24 21:48:50,730 [ZAP-daemon] INFO ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools 2018-02-24 21:48:50,871 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionDiff 2018-02-24 21:48:50,871 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionRequestPostTableView 2018-02-24 21:48:50,871 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionSessionManagement 2018-02-24 21:48:50,871 [ZAP-daemon] INFO ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management] 2018-02-24 21:48:50,871 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelRequestFormTableView 2018-02-24 21:48:50,871 [ZAP-daemon] INFO ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints. 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing Core UI related functionality. 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionAuthorization 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing AJAX Spider, uses Crawljax 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing Handles adding Global Excluded URLs 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing Adds menu item to refresh the Sites tree 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus. 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing OWASP ZAP User Guide 2018-02-24 21:48:50,886 [ZAP-daemon] INFO ExtensionLoader - Initializing Provides a URL suitable for calling from target sites 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelComponentonentAll 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelHexView 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelImageView 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelLargeRequestView 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelLargeResponseView 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelRequestQueryCookieTableView 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionHttpPanelSyntaxHighlightTextView 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Active and passive rule configuration 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Statistics 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionStats - Start recording in memory stats 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Context alert rules filter 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Active Scan Rules 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Active Scan Rules - alpha 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Active Scan Rules - beta 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Translations of the core language files 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations. 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Allows to fuzz HTTP messages. 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing The ZAP Getting Started Guide 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionJxBrowser 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionJxBrowserLinux32 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtSelJxBrowserLinux32 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionJxBrowserLinux64 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtSelJxBrowserLinux64 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionJxBrowserMaxOS 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtSelJxBrowserMacOs 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionJxBrowserWindows 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtSelJxBrowserWindows 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing The Online menu links 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Passive Scan Rules 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Passive Scan Rules - beta 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Quick Start panel 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Easy way to replace strings in requests and responses 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing ExtensionSaveRawHttpMessage 2018-02-24 21:48:51,105 [ZAP-daemon] INFO ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser. 2018-02-24 21:48:51,121 [ZAP-daemon] INFO ExtensionLoader - Initializing Helper extension for Advanced SQL Injection scanner. 2018-02-24 21:48:51,121 [ZAP-daemon] INFO ExtensionLoader - Initializing Tips and Tricks 2018-02-24 21:48:51,121 [ZAP-daemon] INFO ExtensionLoader - Initializing Allows to fuzz WebSocket messages. 2018-02-24 21:48:51,152 [ZAP-daemon] INFO ExtensionCallback - Started callback server on 0.0.0.0:61210 2018-02-24 21:48:51,261 [ZAP-daemon] INFO DaemonBootstrap - ZAP is now listening on 127.0.0.1:61206 2018-02-24 21:48:54,710 [ZAP-ProxyThread-9] INFO Control - Discard Session 2018-02-24 21:48:54,710 [ZAP-ProxyThread-9] INFO Control - New Session 2018-02-24 21:48:54,710 [ZAP-ProxyThread-9] INFO Control - Create and Open Untitled Db 2018-02-24 21:48:54,741 [ZAP-ProxyThread-9] INFO ENGINE - dataFileCache commit start 2018-02-24 21:48:54,788 [ZAP-ProxyThread-9] INFO ENGINE - dataFileCache commit end 2018-02-24 21:48:54,866 [ZAP-ProxyThread-9] INFO ENGINE - Database closed 2018-02-24 21:48:54,991 [ZAP-ProxyThread-9] INFO ENGINE - open start - state not modified 2018-02-24 21:48:55,038 [ZAP-ProxyThread-9] INFO ENGINE - dataFileCache open start 2018-02-24 21:48:55,085 [ZAP-ProxyThread-9] INFO ENGINE - dataFileCache open end 2018-02-24 21:48:56,650 [ZAP-SpiderInitThread-0] INFO SpiderThread - Starting spidering scan on Context: Default Context at Sat Feb 24 21:48:56 IST 2018 2018-02-24 21:48:56,652 [ZAP-SpiderInitThread-0] INFO Spider - Spider initializing... 2018-02-24 21:48:56,665 [ZAP-SpiderInitThread-0] INFO Spider - Starting spider... 2018-02-24 21:48:57,152 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,175 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,175 [Thread-15] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,176 [Thread-15] INFO HostProcess - completed host http://testphp.vulnweb.com in 0.002s 2018-02-24 21:48:57,176 [Thread-13] INFO Scanner - scanner completed in 0.024s 2018-02-24 21:48:57,182 [Thread-17] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,182 [Thread-17] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,183 [Thread-16] INFO Scanner - scanner completed in 0.008s 2018-02-24 21:48:57,186 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,194 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,194 [Thread-19] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,194 [Thread-19] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,194 [Thread-18] INFO Scanner - scanner completed in 0.008s 2018-02-24 21:48:57,198 [Thread-21] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,198 [Thread-21] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,198 [Thread-20] INFO Scanner - scanner completed in 0.004s 2018-02-24 21:48:57,702 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,702 [Thread-24] INFO HostProcess - Scanning 1 node(s) from https://update.googleapis.com 2018-02-24 21:48:57,702 [Thread-24] INFO HostProcess - completed host https://update.googleapis.com in 0s 2018-02-24 21:48:57,702 [Thread-23] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,702 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,733 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,733 [Thread-26] INFO HostProcess - Scanning 1 node(s) from http://redirector.gvt1.com 2018-02-24 21:48:57,733 [Thread-26] INFO HostProcess - completed host http://redirector.gvt1.com in 0s 2018-02-24 21:48:57,733 [Thread-25] INFO Scanner - scanner completed in 0.016s 2018-02-24 21:48:57,733 [Thread-28] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,733 [Thread-28] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,733 [Thread-27] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,733 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,749 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,749 [Thread-30] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,749 [Thread-30] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,749 [Thread-29] INFO Scanner - scanner completed in 0.016s 2018-02-24 21:48:57,749 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,749 [Thread-33] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,749 [Thread-33] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,749 [Thread-31] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,749 [Thread-34] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,749 [Thread-34] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,749 [Thread-32] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,749 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,764 [Thread-36] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,764 [Thread-36] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,764 [Thread-35] INFO Scanner - scanner completed in 0.015s 2018-02-24 21:48:57,764 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,780 [Thread-38] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,780 [Thread-38] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,780 [Thread-37] INFO Scanner - scanner completed in 0.016s 2018-02-24 21:48:57,780 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,796 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,796 [Thread-41] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,796 [Thread-41] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,796 [Thread-39] INFO Scanner - scanner completed in 0.016s 2018-02-24 21:48:57,796 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,796 [Thread-43] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,796 [Thread-43] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,796 [Thread-40] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,796 [Thread-44] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,796 [Thread-44] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,796 [Thread-42] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,796 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,811 [Thread-46] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,811 [Thread-46] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,811 [Thread-45] INFO Scanner - scanner completed in 0.015s 2018-02-24 21:48:57,811 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,811 [Thread-48] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,811 [Thread-48] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,811 [Thread-47] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,811 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,811 [Thread-50] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,811 [Thread-50] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,811 [Thread-49] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:57,827 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:57,827 [Thread-52] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:57,827 [Thread-52] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:57,827 [Thread-51] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,327 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,327 [Thread-54] INFO HostProcess - Scanning 1 node(s) from http://www.eclectasy.com 2018-02-24 21:48:58,327 [Thread-54] INFO HostProcess - completed host http://www.eclectasy.com in 0s 2018-02-24 21:48:58,327 [Thread-53] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,327 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,327 [Thread-56] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,327 [Thread-56] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,327 [Thread-55] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,327 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,327 [Thread-58] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,342 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,342 [Thread-58] INFO HostProcess - completed host http://testphp.vulnweb.com in 0.015s 2018-02-24 21:48:58,342 [Thread-57] INFO Scanner - scanner completed in 0.015s 2018-02-24 21:48:58,342 [Thread-60] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,342 [Thread-60] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,342 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,342 [Thread-59] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,342 [Thread-62] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,342 [Thread-62] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,342 [Thread-61] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,842 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,842 [Thread-64] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,842 [Thread-64] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,842 [Thread-63] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,842 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,842 [Thread-66] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,842 [Thread-66] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,842 [Thread-65] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,842 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,842 [Thread-68] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,842 [Thread-68] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,842 [Thread-67] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,858 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,858 [Thread-70] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,858 [Thread-70] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,858 [Thread-69] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,858 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,858 [Thread-72] INFO HostProcess - Scanning 1 node(s) from http://blog.mindedsecurity.com 2018-02-24 21:48:58,858 [Thread-72] INFO HostProcess - completed host http://blog.mindedsecurity.com in 0s 2018-02-24 21:48:58,858 [Thread-71] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:58,858 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:58,858 [Thread-74] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:58,858 [Thread-74] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:58,858 [Thread-73] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:59,358 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:59,358 [Thread-76] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:59,358 [Thread-76] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:59,358 [Thread-75] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:59,358 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:59,358 [Thread-78] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:59,358 [Thread-78] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:59,358 [Thread-77] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:59,764 [Thread-79] INFO ENGINE - dataFileCache CACHE SIZE limit reached 2018-02-24 21:48:59,764 [Thread-79] WARN ProxyListenerLog - java.sql.SQLException: Data cache size limit is reached: 10000 org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Data cache size limit is reached: 10000 at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source) at org.parosproxy.paros.model.HistoryReference.(Unknown Source) at org.parosproxy.paros.extension.history.ProxyListenerLog.createHistoryReference(Unknown Source) at org.parosproxy.paros.extension.history.ProxyListenerLog.createAndAddMessage(Unknown Source) at org.parosproxy.paros.extension.history.ProxyListenerLog.access$000(Unknown Source) at org.parosproxy.paros.extension.history.ProxyListenerLog$1.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: java.sql.SQLException: Data cache size limit is reached: 10000 at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source) at org.hsqldb.jdbc.JDBCPreparedStatement.executeUpdate(Unknown Source) at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source) ... 7 more Caused by: org.hsqldb.HsqlException: Data cache size limit is reached: 10000 at org.hsqldb.error.Error.error(Unknown Source) at org.hsqldb.error.Error.error(Unknown Source) at org.hsqldb.persist.Cache.put(Unknown Source) at org.hsqldb.persist.DataFileCache.add(Unknown Source) at org.hsqldb.persist.RowStoreAVLDisk.add(Unknown Source) at org.hsqldb.persist.RowStoreAVLDisk.getNewCachedObject(Unknown Source) at org.hsqldb.Table.insertSingleRow(Unknown Source) at org.hsqldb.StatementDML.insertSingleRow(Unknown Source) at org.hsqldb.StatementInsert.getResult(Unknown Source) at org.hsqldb.StatementDMQL.execute(Unknown Source) at org.hsqldb.Session.executeCompiledStatement(Unknown Source) at org.hsqldb.Session.execute(Unknown Source) ... 10 more 2018-02-24 21:48:59,858 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:59,858 [Thread-81] INFO HostProcess - Scanning 1 node(s) from http://testphp.vulnweb.com 2018-02-24 21:48:59,858 [Thread-81] INFO HostProcess - completed host http://testphp.vulnweb.com in 0s 2018-02-24 21:48:59,858 [Thread-80] INFO Scanner - scanner completed in 0s 2018-02-24 21:48:59,858 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:48:59,858 [Thread-83] INFO HostProcess - Scanning 1 node(s) from https://www.linkedin.com 2018-02-24 21:48:59,858 [Thread-83] INFO HostProcess - completed host https://www.linkedin.com in 0s 2018-02-24 21:48:59,858 [Thread-82] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:00,461 [ZAP-SpiderThreadPool-0-thread-4] WARN URLCanonicalizer - Error while Processing URL [android-app://com.google.android.youtube/http/www.youtube.com/channel/UC_99iQFkzdp7NaT9dggbsfw] in the spidering process (on base https://www.youtube.com/user/mindedsecurity): unknown protocol: android-app 2018-02-24 21:49:00,461 [ZAP-SpiderThreadPool-0-thread-4] WARN URLCanonicalizer - Error while Processing URL [ios-app://544007664/vnd.youtube/www.youtube.com/channel/UC_99iQFkzdp7NaT9dggbsfw] in the spidering process (on base https://www.youtube.com/user/mindedsecurity): unknown protocol: ios-app 2018-02-24 21:49:00,868 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:00,883 [Thread-86] INFO HostProcess - Scanning 1 node(s) from https://www.youtube.com 2018-02-24 21:49:00,883 [Thread-86] INFO HostProcess - completed host https://www.youtube.com in 0s 2018-02-24 21:49:00,883 [Thread-85] INFO Scanner - scanner completed in 0.015s 2018-02-24 21:49:00,883 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:00,883 [Thread-88] INFO HostProcess - Scanning 1 node(s) from https://update.googleapis.com 2018-02-24 21:49:00,883 [Thread-88] INFO HostProcess - completed host https://update.googleapis.com in 0s 2018-02-24 21:49:00,883 [Thread-87] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:02,924 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:02,924 [Thread-90] INFO HostProcess - Scanning 1 node(s) from https://twitter.com 2018-02-24 21:49:02,924 [Thread-90] INFO HostProcess - completed host https://twitter.com in 0s 2018-02-24 21:49:02,924 [Thread-89] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:03,002 [ZAP-SpiderThreadPool-0-thread-5] WARN URLCanonicalizer - Error while Processing URL [android-app://com.twitter.android/twitter/user?screen_name=mindedsecurity&ref_src=twsrc%5Egoogle%7Ctwcamp%5Eandroidseo%7Ctwgr%5Eprofile] in the spidering process (on base https://twitter.com/mindedsecurity): unknown protocol: android-app 2018-02-24 21:49:04,439 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:04,455 [Thread-92] INFO HostProcess - Scanning 1 node(s) from https://www.mindedsecurity.com 2018-02-24 21:49:04,455 [Thread-92] INFO HostProcess - completed host https://www.mindedsecurity.com in 0s 2018-02-24 21:49:04,455 [Thread-91] INFO Scanner - scanner completed in 0.016s 2018-02-24 21:49:04,939 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:04,955 [Thread-94] INFO HostProcess - Scanning 1 node(s) from https://www.mindedsecurity.com 2018-02-24 21:49:04,955 [Thread-94] INFO HostProcess - completed host https://www.mindedsecurity.com in 0s 2018-02-24 21:49:04,955 [Thread-93] INFO Scanner - scanner completed in 0.016s 2018-02-24 21:49:04,955 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:04,955 [Thread-96] INFO HostProcess - Scanning 1 node(s) from https://www.mindedsecurity.com 2018-02-24 21:49:04,955 [Thread-96] INFO HostProcess - completed host https://www.mindedsecurity.com in 0s 2018-02-24 21:49:04,955 [Thread-95] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:33,413 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:33,413 [Thread-472] INFO HostProcess - Scanning 1 node(s) from https://www.blogger.com 2018-02-24 21:49:33,413 [Thread-472] INFO HostProcess - completed host https://www.blogger.com in 0s 2018-02-24 21:49:33,413 [Thread-471] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:33,913 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:33,913 [Thread-474] INFO HostProcess - Scanning 1 node(s) from https://www.blogger.com 2018-02-24 21:49:33,913 [Thread-474] INFO HostProcess - completed host https://www.blogger.com in 0s 2018-02-24 21:49:33,913 [Thread-473] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:33,913 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:33,913 [Thread-476] INFO HostProcess - Scanning 1 node(s) from https://cdnjs.cloudflare.com 2018-02-24 21:49:33,913 [Thread-476] INFO HostProcess - completed host https://cdnjs.cloudflare.com in 0s 2018-02-24 21:49:33,913 [Thread-475] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:34,944 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:34,944 [Thread-478] INFO HostProcess - Scanning 1 node(s) from https://apis.google.com 2018-02-24 21:49:34,944 [Thread-478] INFO HostProcess - completed host https://apis.google.com in 0s 2018-02-24 21:49:34,944 [Thread-477] INFO Scanner - scanner completed in 0s 2018-02-24 21:49:35,444 [ZAP-AttackMode] INFO Scanner - scanner started 2018-02-24 21:49:35,444 [Thread-480] INFO HostProcess - Scanning 1 node(s) from http://www.blogblog.com 2018-02-24 21:49:35,444 [Thread-480] INFO HostProcess - completed host http://www.blogblog.com in 0s 2018-02-24 21:49:35,444 [Thread-479] INFO Scanner - scanner completed in 0s

Kindly help..

Thanks....