search

zaproxy / zaproxy

The ZAP by Checkmarx Core project
https://www.zaproxy.org
Apache License 2.0
12.77k stars 2.28k forks source link

Running Ajax spider w/ default settings in weekly container throws firefox Lib error #6700

Closed mattemoore closed 3 years ago

mattemoore commented 3 years ago

Describe the bug Running Ajax spider w/ default settings in weekly container throws firefox Lib error. The scan then just runs on a small list of URL rather than the full list found by Ajax Spider when i run ZAP on my desktop.

To Reproduce Steps to reproduce the behavior: docker run --name cdp-pen-test --network host -t owasp/zap2docker-weekly zap-baseline.py -j -t https://www.google.com -J report.json 

INFO: Created user preferences directory.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/zap/./plugin/spiderAjax-release-23.3.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
1626731820863   geckodriver     INFO    Listening on 127.0.0.1:8218
1626731821293   mozrunner::runner       INFO    Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofilee4sHaf"
*** You are running in headless mode.

(firefox:188): GLib-GObject-WARNING **: 21:57:02.517: invalid (NULL) pointer instance

(firefox:188): GLib-GObject-CRITICAL **: 21:57:02.522: g_signal_connect_data: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed

(/usr/lib/firefox/firefox:232): GLib-GObject-WARNING **: 21:57:04.914: invalid (NULL) pointer instance

(/usr/lib/firefox/firefox:232): GLib-GObject-CRITICAL **: 21:57:04.923: g_signal_connect_data: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed

(/usr/lib/firefox/firefox:251): GLib-GObject-WARNING **: 21:57:05.285: invalid (NULL) pointer instance

(/usr/lib/firefox/firefox:251): GLib-GObject-CRITICAL **: 21:57:05.292: g_signal_connect_data: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new Error("", "(unknown module)"))

(/usr/lib/firefox/firefox:301): GLib-GObject-WARNING **: 21:57:11.017: invalid (NULL) pointer instance

(/usr/lib/firefox/firefox:301): GLib-GObject-CRITICAL **: 21:57:11.025: g_signal_connect_data: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 376))
1626731835284   Marionette      INFO    Listening on port 40581
1626731836403   Marionette      WARN    TLS certificate errors will be ignored for this session
1626731839940   Marionette      INFO    Stopped listening on port 40581

Expected behavior Spider results, then ajax spider results, then baseline scan results.

Software versions

Errors from the zap.log file

$ cat zap.out
Found Java version 11.0.9.1
Available memory: 7961 MB
Using JVM args: -Xmx1990m
2072 [main] INFO  org.zaproxy.zap.DaemonBootstrap - OWASP ZAP D-2021-01-20 started 20/07/2021, 12:10:10 with home /home/zap/.ZAP_D/
2111 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config database.recoverylog = false was false
2111 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was true
2111 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was .*
2112 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was true
2112 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 1 was 1
2131 [main] INFO  org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
2132 [main] INFO  org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
2306 [main] INFO  org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
2314 [main] INFO  org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
2975 [main] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
3013 [main] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
3022 [main] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
3023 [main] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
3098 [ZAP-daemon] INFO  org.zaproxy.zap.control.ExtensionFactory - Loading extensions
5030 [ZAP-daemon] INFO  org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=11.0.0], [id=ascanrules, version=40.0.0], [id=ascanrulesBeta, version=35.0.0], [id=bruteforce, version=11.0.0], [id=commonlib, version=1.4.0], [id=coreLang, version=14.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=11.0.0], [id=encoder, version=0.5.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.2.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.3.0], [id=help, version=12.0.0], [id=hud, version=0.13.0], [id=importurls, version=8.0.0], [id=invoke, version=11.0.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=19.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=35.0.0], [id=pscanrulesBeta, version=25.0.0], [id=quickstart, version=30.0.0], [id=replacer, version=9.0.0], [id=retire, version=0.7.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=6.0.0], [id=savexmlmessage, version=0.2.0], [id=scripts, version=29.0.0], [id=selenium, version=15.4.0], [id=sequence, version=6.0.0], [id=soap, version=7.0.0], [id=spiderAjax, version=23.3.0], [id=tips, version=8.0.0], [id=webdriverlinux, version=29.0.0], [id=webdrivermacos, version=29.0.0], [id=webdriverwindows, version=29.0.0], [id=websocket, version=24.0.0], [id=zest, version=34.0.0]]
5801 [ZAP-daemon] INFO  org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
6149 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
6151 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
6151 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
6151 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
6177 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
6177 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension
6178 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
6179 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
6180 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
6187 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
6188 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
6283 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
6284 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
6284 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
6285 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
6286 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
6286 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
6286 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
6286 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
6293 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
6294 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
6294 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
6294 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
6294 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
6294 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
6294 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
6295 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
6296 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
6297 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
6297 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control Header Set
6297 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
6297 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
6297 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
6297 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
6299 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
6299 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute
6299 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
6299 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
6300 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
6300 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
6301 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
6301 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
6301 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
6302 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
6302 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
6302 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
6302 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
6302 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
6303 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
6304 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header
6304 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
6304 [ZAP-daemon] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
6327 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
6328 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
6332 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSequence
6332 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
6365 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
6365 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
6367 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple but effective port scanner
6369 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
6369 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
6369 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
6370 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
6371 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
6397 [ZAP-daemon] INFO  org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
6417 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
6748 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
6755 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
6758 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
6759 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
6761 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
7169 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
7170 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
7173 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
7646 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
7647 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
7647 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
7647 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration
7657 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
7666 [ZAP-daemon] INFO  org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
7667 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
7667 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
7710 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
7710 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
7711 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
7711 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
7711 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
7712 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
7717 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
7718 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.
7731 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
7732 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
7732 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
7732 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
7734 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
7734 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
7735 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
7736 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
7738 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
7738 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
7738 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
7738 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
7738 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
7738 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
7739 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
7742 [ZAP-daemon] INFO  org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
7743 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Definition
7743 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
7743 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
7743 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
7744 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
7745 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
7745 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
7752 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
7752 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
7753 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
7753 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files
7753 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
7754 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
7754 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
7754 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
7758 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
7864 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
7864 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing DOM XSS Active Scan Rule
7991 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.
8678 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
8682 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.
8683 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
8684 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
8684 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
8684 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta
8685 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
8685 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 
8701 [ZAP-daemon] INFO  org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:46501
10030 [ZAP-daemon] INFO  org.parosproxy.paros.CommandLine - Add-on update check complete
10033 [ZAP-daemon] INFO  org.parosproxy.paros.CommandLine - Add-on already installed: /zap/./plugin/pscanrulesBeta-beta-25.zap
10033 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:58947
15449 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on https://cdp-local at Tue Jul 20 12:10:24 UTC 2021
15457 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.spider.Spider - Spider initializing...
15504 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.spider.Spider - Starting spider...
15724 [ZAP-SpiderThreadPool-0-thread-1] INFO  org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
15725 [ZAP-SpiderShutdownThread-0] INFO  org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
20163 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20165 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20166 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20193 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20195 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20196 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20198 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20222 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20224 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20225 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20227 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20228 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20229 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20230 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20246 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20248 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20252 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20268 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20270 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20271 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20273 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20280 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20299 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20302 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts.
20559 [ZAP-AjaxSpiderApi] INFO  org.zaproxy.zap.extension.spiderAjax.SpiderThread - Running Crawljax (with firefox-headless): API - https://cdp-local
20562 [ZAP-AjaxSpiderApi] INFO  org.zaproxy.zap.extension.spiderAjax.SpiderThread - Starting proxy...
20562 [ZAP-AjaxSpiderApi] INFO  org.zaproxy.zap.extension.spiderAjax.SpiderThread - Proxy started, listening at port [44631].
21011 [ZAP-AjaxSpiderApi] INFO  com.crawljax.core.plugin.Plugins - Loaded org.zaproxy.zap.extension.spiderAjax.SpiderThread$DummyPlugin@3ae99fcb as a OnBrowserCreatedPlugin
26820 [Forwarding newSession on session null to remote] INFO  org.openqa.selenium.remote.ProtocolHandshake - Detected dialect: W3C
28679 [ZAP-AjaxSpiderApi] INFO  com.crawljax.core.CrawlController - Received shutdown notice. Reason is Exausted
29452 [ZAP-AjaxSpiderApi] INFO  com.crawljax.core.CrawlController - Shutdown process complete
29453 [ZAP-AjaxSpiderApi] INFO  org.zaproxy.zap.extension.spiderAjax.SpiderThread - Stopping proxy...
29554 [ZAP-AjaxSpiderApi] INFO  org.zaproxy.zap.extension.spiderAjax.SpiderThread - Proxy stopped.
29555 [ZAP-AjaxSpiderApi] INFO  org.zaproxy.zap.extension.spiderAjax.SpiderThread - Finished Crawljax: API - https://cdp-local
30608 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner HTTP Server Response Header as it has raised more than 10 alerts.
32634 [ZAP-Shutdown] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
32672 [ZAP-Shutdown] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
32681 [ZAP-Shutdown] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed
32799 [ZAP-Shutdown] INFO  org.zaproxy.zap.extension.api.CoreAPI - OWASP ZAP D-2021-01-20 terminated.
$

Would you like to help fix this issue? I'm open to help provide more debug information or different repro steps.

kingthorin commented 3 years ago

What errors are you getting in the container that you're not getting in desktop? https://www.zaproxy.org/faq/how-do-you-configure-zap-logging/

Everything in that output seems normal/expected.

mattemoore commented 3 years ago

Thanks for the reply. I don't see the GLib errors on the desktop but that could be because I'm on a Windows desktop. Am I to understand we should ignore the GLib errors in this case then? Side question: is there a log of crawled urls that I can output that would help confirm that the ajax spider worked correctly?

On Tue, Jul 20, 2021 at 8:50 AM Rick M @.***> wrote:

What errors are you getting in the container that you're not getting in desktop? https://www.zaproxy.org/faq/how-do-you-configure-zap-logging/

Everything in that output seems normal/expected.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zaproxy/zaproxy/issues/6700#issuecomment-883366330, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7ENKD4ULMUYVBNLOOYKTTTYVWITANCNFSM5AVVEWHQ .

kingthorin commented 3 years ago

You can check the log on Windows that's why I provided that link. (Or you could launch ZAP on desktop using zap.bat and then you'll have console output.)

You can check the ajax spider results: https://www.zaproxy.org/docs/api/#aspider_results_api

thc202 commented 3 years ago

Those errors are not the cause, they are "normal" actually https://github.com/zaproxy/zaproxy/issues/6431#issuecomment-770785358 .

mattemoore commented 3 years ago

I figured it out. Wrong headers we’re making Ajax spider run not authenticated. I will close the bug. Sorry for the noise.

Sent from my iPhone

On Jul 20, 2021, at 10:19, thc202 @.***> wrote:

 Those errors are not the cause, they are "normal" actually #6431 (comment) .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

github-actions[bot] commented 3 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.