search

zaproxy / zaproxy

The ZAP by Checkmarx Core project
https://www.zaproxy.org
Apache License 2.0
12.8k stars 2.29k forks source link

log4shell example not working as expected #7145

Closed montao closed 2 years ago

montao commented 2 years ago

Describe the bug

The description is from the article https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/

It's not working at all the way it's described. The report that comes out is not at all about log4shell:


{
        "@version": "2.11.1",
        "@generated": "Wed, 16 Mar 2022 13:50:04",
        "site":[ 
                {
                        "@name": "http://localhost:8000",
                        "@host": "localhost",
                        "@port": "8000",
                        "@ssl": "false",
                        "alerts": [ 
                                {
                                        "pluginid": "10021",
                                        "alertRef": "10021",
                                        "alert": "X-Content-Type-Options Header Missing",
                                        "name": "X-Content-Type-Options Header Missing",
                                        "riskcode": "1",
                                        "confidence": "2",
                                        "riskdesc": "Low (Medium)",
                                        "desc": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p>",
                                        "instances":[ 
                                                {
                                                        "uri": "http://localhost:8000/",
                                                        "method": "GET",
                                                        "param": "X-Content-Type-Options",
                                                        "attack": "",
                                                        "evidence": ""
                                                }
                                        ],
                                        "count": "1",
                                        "solution": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p>",
                                        "otherinfo": "<p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At \"High\" threshold this scan rule will not alert on client or server error responses.</p>",
                                        "reference": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://owasp.org/www-community/Security_Headers</p>",
                                        "cweid": "693",
                                        "wascid": "15",
                                        "sourceid": "1"
                                }
                        ]
                }
        ]
}

Steps to reproduce the behavior

Follow the steps in the article.

Expected behavior

Something about log4shell in the report

Software versions

Latest

Screenshots

No response

Errors from the zap.log file


2022-03-16 13:42:54,945 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 terminated.
2022-03-16 13:49:03,073 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 started 16/03/2022, 13:49:03 with home /Applications/OWASP ZAP.app/Contents/Java/log4shell/
2022-03-16 13:49:03,119 [main ] INFO  AbstractParam - Setting config oast.boast.uri = https://odiss.eu:1337/events was https://odiss.eu:1337/events
2022-03-16 13:49:03,119 [main ] INFO  AbstractParam - Setting config oast.activeScanService = BOAST was BOAST
2022-03-16 13:49:03,119 [main ] INFO  AbstractParam - Setting config oast.boast.pollingFrequency = 10 was 10
2022-03-16 13:49:03,119 [main ] INFO  AbstractParam - Setting config scanner.injectable = 11 was 11
2022-03-16 13:49:03,120 [main ] INFO  AbstractParam - Setting config scanner.scanHeadersAllRequests = true was true
2022-03-16 13:49:03,120 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).description = X-Api-Version was X-Api-Version
2022-03-16 13:49:03,120 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).enabled = true was true
2022-03-16 13:49:03,120 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).matchtype = REQ_HEADER was REQ_HEADER
2022-03-16 13:49:03,120 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).matchstr = X-Api-Version was X-Api-Version
2022-03-16 13:49:03,121 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).regex = false was false
2022-03-16 13:49:03,121 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).replacement = test was test
2022-03-16 13:49:03,121 [main ] INFO  AbstractParam - Setting config replacer.full_list(0).initiators = [3] was [3]
2022-03-16 13:49:03,126 [main ] INFO  SSLConnector - Reading supported SSL/TLS protocols...
2022-03-16 13:49:03,126 [main ] INFO  SSLConnector - Using a SSLEngine...
2022-03-16 13:49:03,173 [main ] INFO  SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
2022-03-16 13:49:03,175 [main ] INFO  OptionsParamCertificate - Unsafe SSL renegotiation disabled.
2022-03-16 13:49:03,414 [main ] INFO  ENGINE - dataFileCache open start
2022-03-16 13:49:03,417 [main ] INFO  ENGINE - dataFileCache commit start
2022-03-16 13:49:03,418 [main ] INFO  ENGINE - dataFileCache commit end
2022-03-16 13:49:03,418 [main ] INFO  ENGINE - dataFileCache open end
2022-03-16 13:49:03,457 [main ] INFO  ExtensionFactory - Loading extensions
2022-03-16 13:49:04,222 [main ] INFO  ExtensionFactory - Installed add-ons: [[id=alertFilters, version=13.0.0], [id=ascanrules, version=45.0.0], [id=ascanrulesAlpha, version=36.0.0], [id=automation, version=0.13.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.3.0], [id=commonlib, version=1.8.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.1.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.6.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.8.0], [id=help, version=14.0.0], [id=hud, version=0.13.0], [id=importurls, version=9.0.0], [id=invoke, version=11.0.0], [id=network, version=0.1.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=26.0.0], [id=pscanrules, version=39.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.12.0], [id=retest, version=0.2.0], [id=retire, version=0.10.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.7.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdrivermacos, version=36.0.0], [id=websocket, version=25.0.0], [id=zest, version=35.0.0]]
2022-03-16 13:49:04,665 [main ] INFO  TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]
2022-03-16 13:49:04,788 [main ] INFO  ExtensionFactory - Extensions loaded
2022-03-16 13:49:04,912 [main ] INFO  ExtensionLoader - Initializing Allows ZAP to check for updates
2022-03-16 13:49:04,913 [main ] INFO  ExtensionLoader - Initializing Options Extension
2022-03-16 13:49:04,913 [main ] INFO  ExtensionLoader - Initializing Edit Menu Extension
2022-03-16 13:49:04,913 [main ] INFO  ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
2022-03-16 13:49:04,918 [main ] INFO  ExtensionLoader - Initializing Session State Extension
2022-03-16 13:49:04,918 [main ] INFO  ExtensionLoader - Initializing History Extension
2022-03-16 13:49:04,919 [main ] INFO  ExtensionLoader - Initializing Show hidden fields and enable disabled fields
2022-03-16 13:49:04,920 [main ] INFO  ExtensionLoader - Initializing Search messages for strings and regular expressions
2022-03-16 13:49:04,920 [main ] INFO  ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
2022-03-16 13:49:04,921 [main ] INFO  ExtensionLoader - Initializing Passive scanner
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: CSP
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
2022-03-16 13:49:04,943 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
2022-03-16 13:49:04,944 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Viewstate
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
2022-03-16 13:49:04,945 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
2022-03-16 13:49:04,955 [main ] INFO  ExtensionLoader - Initializing Allows you to view and manage alerts
2022-03-16 13:49:04,956 [main ] INFO  ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
2022-03-16 13:49:04,960 [main ] INFO  ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
2022-03-16 13:49:04,964 [main ] INFO  ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
2022-03-16 13:49:04,964 [main ] INFO  ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
2022-03-16 13:49:04,965 [main ] INFO  ExtensionLoader - Initializing Manual Request Editor Extension
2022-03-16 13:49:04,965 [main ] INFO  ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
2022-03-16 13:49:04,965 [main ] INFO  ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
2022-03-16 13:49:04,965 [main ] INFO  ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
2022-03-16 13:49:04,967 [main ] INFO  ExtensionLoader - Initializing Authentication Extension
2022-03-16 13:49:04,976 [main ] INFO  ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
2022-03-16 13:49:04,977 [main ] INFO  ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
2022-03-16 13:49:05,097 [main ] INFO  ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
2022-03-16 13:49:05,097 [main ] INFO  ExtensionLoader - Initializing Users Extension
2022-03-16 13:49:05,099 [main ] INFO  ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
2022-03-16 13:49:05,100 [main ] INFO  ExtensionLoader - Initializing Script integration
2022-03-16 13:49:05,102 [main ] INFO  ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
2022-03-16 13:49:05,181 [main ] INFO  ExtensionLoader - Initializing Forced User Extension
2022-03-16 13:49:05,182 [main ] INFO  ExtensionLoader - Initializing Extension handling HTTP sessions
2022-03-16 13:49:05,183 [main ] INFO  ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
2022-03-16 13:49:05,297 [main ] INFO  ExtensionLoader - Initializing ExtensionDiff
2022-03-16 13:49:05,297 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Post Table View Extension
2022-03-16 13:49:05,297 [main ] INFO  ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
2022-03-16 13:49:05,297 [main ] INFO  ExtensionLoader - Initializing Session Management Extension
2022-03-16 13:49:05,301 [main ] INFO  ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
2022-03-16 13:49:05,302 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Form Table View Extension
2022-03-16 13:49:05,302 [main ] INFO  ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
2022-03-16 13:49:05,312 [main ] INFO  ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
2022-03-16 13:49:05,313 [main ] INFO  ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
2022-03-16 13:49:05,313 [main ] INFO  ExtensionLoader - Initializing Core UI related functionality.
2022-03-16 13:49:05,314 [main ] INFO  ExtensionLoader - Initializing Authorization Extension
2022-03-16 13:49:05,314 [main ] INFO  ExtensionLoader - Initializing AJAX Spider, uses Crawljax
2022-03-16 13:49:05,315 [main ] INFO  ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
2022-03-16 13:49:05,321 [main ] INFO  ExtensionLoader - Initializing Manages the local proxy configurations
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing Handles adding Global Excluded URLs
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing OWASP ZAP User Guide
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing Combined HTTP Panels Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Hex View Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Image View Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Large Request View Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Large Response View Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Query Table View Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
2022-03-16 13:49:05,322 [main ] INFO  ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
2022-03-16 13:49:05,323 [main ] INFO  ExtensionLoader - Initializing Active and passive rule configuration
2022-03-16 13:49:05,324 [main ] INFO  ExtensionLoader - Initializing Statistics
2022-03-16 13:49:05,324 [main ] INFO  ExtensionStats - Start recording in memory stats
2022-03-16 13:49:05,325 [main ] INFO  ExtensionLoader - Initializing Custom Pages Definition
2022-03-16 13:49:05,325 [main ] INFO  ExtensionLoader - Initializing The Online menu links
2022-03-16 13:49:05,325 [main ] INFO  ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.
2022-03-16 13:49:05,530 [main ] INFO  ExtensionLoader - Initializing Easy way to replace strings in requests and responses
2022-03-16 13:49:05,532 [main ] INFO  ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
2022-03-16 13:49:05,533 [main ] INFO  ExtensionLoader - Initializing The Retest add-on allows to verify the presence/absence of certain alerts.
2022-03-16 13:49:05,534 [main ] INFO  ExtensionLoader - Initializing Heads Up Display
2022-03-16 13:49:05,571 [main ] INFO  ExtensionLoader - Initializing ExtensionHUDlaunch
2022-03-16 13:49:05,571 [main ] INFO  ExtensionLoader - Initializing Tips and Tricks
2022-03-16 13:49:05,571 [main ] INFO  ExtensionLoader - Initializing DOM XSS Active Scan Rule
2022-03-16 13:49:05,610 [main ] INFO  ExtensionLoader - Initializing The ZAP Getting Started Guide
2022-03-16 13:49:05,611 [main ] INFO  ExtensionLoader - Initializing Context alert rules filter
2022-03-16 13:49:05,612 [main ] INFO  ExtensionLoader - Initializing Alert Filters Automation Framework Integration
2022-03-16 13:49:05,613 [main ] INFO  ExtensionLoader - Initializing Ajax Spider Automation Framework Integration
2022-03-16 13:49:05,615 [main ] INFO  ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
2022-03-16 13:49:05,616 [main ] INFO  ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
2022-03-16 13:49:05,617 [main ] INFO  ExtensionLoader - Initializing Launch browsers proxying through ZAP
2022-03-16 13:49:05,618 [main ] INFO  ExtensionLoader - Initializing Launch browsers proxying through ZAP
2022-03-16 13:49:05,619 [main ] INFO  ExtensionLoader - Initializing SOAP Automation Framework Integration
2022-03-16 13:49:05,621 [main ] INFO  ExtensionLoader - Initializing Passive Scan Rules
2022-03-16 13:49:05,622 [main ] INFO  ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
2022-03-16 13:49:05,622 [main ] INFO  ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.
2022-03-16 13:49:05,624 [main ] INFO  ExtensionLoader - Initializing GraphQL Automation Framework Integration
2022-03-16 13:49:05,624 [main ] INFO  ExtensionLoader - Initializing Handles all of the calls to ZAP services
2022-03-16 13:49:05,625 [main ] INFO  ExtensionLoader - Initializing Scripts Automation
2022-03-16 13:49:05,627 [main ] INFO  ExtensionLoader - Initializing Provides core networking capabilities.
2022-03-16 13:49:05,630 [main ] INFO  ExtensionLoader - Initializing Active Scan Rules - alpha
2022-03-16 13:49:05,630 [main ] INFO  ExtensionLoader - Initializing Active Scan Rules
2022-03-16 13:49:05,630 [main ] INFO  ExtensionLoader - Initializing Automation Framework
2022-03-16 13:49:05,631 [main ] INFO  ExtensionLoader - Initializing ExtensionOast
2022-03-16 13:49:05,634 [main ] INFO  ExtensionLoader - Initializing Adds OAST scripts.
2022-03-16 13:49:05,634 [main ] INFO  ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
2022-03-16 13:49:05,634 [main ] INFO  ExtensionLoader - Initializing org.zaproxy.addon.commonlib.ExtensionCommonlib
2022-03-16 13:49:05,634 [main ] INFO  ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
2022-03-16 13:49:05,634 [main ] INFO  ExtensionLoader - Initializing Allows to fuzz HTTP messages.
2022-03-16 13:49:05,635 [main ] INFO  ExtensionLoader - Initializing Report Generation
2022-03-16 13:49:05,636 [main ] INFO  ExtensionLoader - Initializing Report Generation Automation Integration
2022-03-16 13:49:05,637 [main ] INFO  ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
2022-03-16 13:49:05,637 [main ] INFO  ExtensionLoader - Initializing Import and Export functionality supporting multiple formats.
2022-03-16 13:49:05,638 [main ] INFO  ExtensionLoader - Initializing Import/Export Automation Framework Integration
2022-03-16 13:49:05,639 [main ] INFO  ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 
2022-03-16 13:49:05,641 [main ] INFO  ExtensionLoader - Initializing OpenAPI Automation Framework Integration
2022-03-16 13:49:06,095 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:61642
2022-03-16 13:49:06,288 [main ] INFO  CommandLine - Job activeScan set defaultStrength = medium
2022-03-16 13:49:06,289 [main ] INFO  CommandLine - Job activeScan set defaultThreshold = off
2022-03-16 13:49:06,296 [main ] INFO  CommandLine - Job delay set time = 0:30
2022-03-16 13:49:06,297 [main ] INFO  CommandLine - Job report set template = traditional-json
2022-03-16 13:49:06,297 [main ] INFO  CommandLine - Job report set reportFile = log4shell-report
2022-03-16 13:49:06,372 [main ] INFO  CommandLine - Job spider started
2022-03-16 13:49:06,373 [main ] INFO  CommandLine - Job spider requesting URL http://localhost:8000/
2022-03-16 13:49:06,710 [ZAP-SpiderInitThread-0] INFO  SpiderThread - Starting spidering scan on Context: Default Context at 2022-03-16T13:49:06.710+0100
2022-03-16 13:49:06,713 [ZAP-SpiderInitThread-0] INFO  Spider - Spider initializing...
2022-03-16 13:49:06,728 [ZAP-SpiderInitThread-0] INFO  Spider - Starting spider...
2022-03-16 13:49:07,214 [ZAP-SpiderThreadPool-0-thread-2] INFO  Spider - Spidering process is complete. Shutting down...
2022-03-16 13:49:07,215 [ZAP-SpiderShutdownThread-0] INFO  SpiderThread - Spider scanning complete: true on Context: Default Context at 2022-03-16T13:49:07.214+0100
2022-03-16 13:49:07,718 [main ] INFO  CommandLine - Job spider found 3 URLs
2022-03-16 13:49:07,719 [main ] INFO  CommandLine - Job spider finished
2022-03-16 13:49:07,724 [main ] INFO  CommandLine - Job activeScan started
2022-03-16 13:49:07,731 [main ] INFO  CommandLine - Job activeScan set default strength to MEDIUM
2022-03-16 13:49:07,731 [main ] INFO  CommandLine - Job activeScan set default threshold to OFF
2022-03-16 13:49:07,732 [main ] INFO  CommandLine - Job activeScan set rule 40,043 strength to DEFAULT
2022-03-16 13:49:07,732 [main ] INFO  CommandLine - Job activeScan set rule 40,043 threshold to MEDIUM
2022-03-16 13:49:07,734 [main ] INFO  Scanner - scanner started
2022-03-16 13:49:07,743 [Thread-6] INFO  HostProcess - Scanning 3 node(s) from http://localhost:8000
2022-03-16 13:49:07,744 [Thread-6] INFO  HostProcess - start host http://localhost:8000 | Log4ShellScanRule strength MEDIUM threshold MEDIUM
2022-03-16 13:49:34,847 [Thread-6] INFO  HostProcess - completed host/plugin http://localhost:8000 | Log4ShellScanRule in 27.103s with 117 message(s) sent and 0 alert(s) raised.
2022-03-16 13:49:34,848 [Thread-6] INFO  HostProcess - completed host http://localhost:8000 in 27.108s with 0 alert(s) raised.
2022-03-16 13:49:34,848 [Thread-5] INFO  Scanner - scanner completed in 27.114s
2022-03-16 13:49:34,853 [main ] INFO  CommandLine - Job activeScan finished
2022-03-16 13:49:34,853 [main ] INFO  CommandLine - Job delay started
2022-03-16 13:50:04,917 [main ] INFO  CommandLine - Job delay ended after specified time 0:30
2022-03-16 13:50:04,918 [main ] INFO  CommandLine - Job delay finished
2022-03-16 13:50:04,918 [main ] INFO  CommandLine - Job report started
2022-03-16 13:50:05,225 [main ] INFO  CommandLine - Job report generated report /Users/niklrose/log4shell-report.json
2022-03-16 13:50:05,225 [main ] INFO  CommandLine - Job report finished
2022-03-16 13:50:05,225 [main ] INFO  CommandLine - Automation plan succeeded!
2022-03-16 13:50:10,653 [main ] INFO  ENGINE - dataFileCache commit start
2022-03-16 13:50:10,657 [main ] INFO  ENGINE - dataFileCache commit end
2022-03-16 13:50:10,659 [main ] INFO  ENGINE - Database closed
2022-03-16 13:50:10,769 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 terminated.

Additional context

It would have been much better to receive some information about what's wrong instead of forcing me the user to guess and not knowing what's going on or why.

Would you like to help fix this issue?

thc202 commented 2 years ago

Please use the OWASP ZAP User Group for usage questions.

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.