Comments (14)
GunoH
commented on June 11, 2024
2
Reproduced the issue using Juice Shop application (running on the local host):
- Navigate to Juice Shop landing page, using ZAP as proxy.
- Remove any non-local hosts from Sites tree.
- Run Active Scan with default settings.
- Generate 'Risk and confidence HTML' report with default settings.
from zaproxy.
GunoH
commented on June 11, 2024
1
I'm seeing the alert details with latest version. Could you provide more details on how to reproduce that?
I'll see if I can provide some more details.
In the mean time, I've found that the Report Generation plugin might not be the one to blame here, as generating the report with 0.26.0 from a session that was persisted with 0.31.0 installed also results in the details missing from the report.
[edit]
... and now I've also reproduced it 'from scratch' (so including the active scan) with 0.26.0.
from zaproxy.
GunoH
commented on June 11, 2024
1
If you can use a weekly and enable debug log for org.zaproxy.zap.extension.alert.ExtensionAlert it would provide the necessary details.
Did that. The issue persisted. Got a couple of hundred log lines from that class, all about alerts that it found.
Some errors/warnings that were also there:
NullPointerException (60+ times):
2024-04-30 16:26:10,391 [ZAP-IO-Server-1-3] ERROR MainServerHandler - An error occurred while notifying a handler:
java.lang.NullPointerException: Cannot invoke "org.parosproxy.paros.core.scanner.Variant.decodeResponseBody(org.parosproxy.paros.network.HttpMessage)" because "this.variant" is null
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.decodeResponseBody(AbstractAppParamPlugin.java:142) ~[zap-D-2024-04-29.jar:D-2024-04-29]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:319) ~[zap-D-2024-04-29.jar:D-2024-04-29]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:253) ~[zap-D-2024-04-29.jar:D-2024-04-29]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:226) ~[zap-D-2024-04-29.jar:D-2024-04-29]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.access$000(DomXssScanRule.java:71) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule$1.handleMessage(DomXssScanRule.java:236) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[?:?]
at java.lang.Thread.run(Thread.java:1583) [?:?]
On a couple of occasions, the host under test failed to respond, apparently:
2024-04-30 17:41:42,495 [ZAP-ActiveScanner-0] WARN ParameterTamperScanRule - <host> failed to respond
org.apache.hc.core5.http.NoHttpResponseException: <host> failed to respond
at org.apache.hc.core5.http.impl.io.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:301) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.ZapHttpRequestExecutor.execute(ZapHttpRequestExecutor.java:78) ~[?:?]
at org.apache.hc.core5.http.impl.io.HttpRequestExecutor.execute(HttpRequestExecutor.java:218) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager$InternalConnectionEndpoint.execute(PoolingHttpClientConnectionManager.java:712) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.execute(InternalExecRuntime.java:216) ~[?:?]
at org.apache.hc.client5.http.impl.classic.MainClientExec.execute(MainClientExec.java:116) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:188) ~[?:?]
A few read timeouts:
2024-04-30 21:37:06,742 [ZAP-ActiveScanner-0] WARN UserAgentScanRule - Read timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Read timed out
at sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:278) ~[?:?]
at sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:304) ~[?:?]
at sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:346) ~[?:?]
at sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:796) ~[?:?]
at java.net.Socket$SocketInputStream.read(Socket.java:1099) ~[?:?]
at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:149) ~[?:?]
at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:280) ~[?:?]
at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:247) ~[?:?]
at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:54) ~[?:?]
Other than that, I didn't see anything interesting in the logs.
Support info:
ZAP
Version: D-2024-04-29Installed Add-ons: [[id=accessControl, version=11.0.0],
[id=alertFilters, version=21.0.0], [id=ascanrules,
version=66.0.0], [id=ascanrulesBeta, version=54.0.0],
[id=authhelper, version=0.13.0], [id=automation,
version=0.40.0], [id=bruteforce, version=16.0.0],
[id=callhome, version=0.12.0], [id=commonlib,
version=1.25.0], [id=coreLang, version=16.0.0],
[id=database, version=0.4.0], [id=diff, version=15.0.0],
[id=directorylistv1, version=8.0.0], [id=domxss,
version=19.0.0], [id=encoder, version=1.5.0], [id=exim,
version=0.9.0], [id=formhandler, version=6.6.0], [id=fuzz,
version=13.13.0], [id=gettingStarted, version=17.0.0],
[id=graaljs, version=0.7.0], [id=graphql, version=0.24.0],
[id=help, version=18.0.0], [id=hud, version=0.19.0],
[id=invoke, version=15.0.0], [id=network, version=0.16.0],
[id=oast, version=0.18.0], [id=onlineMenu, version=13.0.0],
[id=openapi, version=40.0.0], [id=plugnhack,
version=14.0.0], [id=postman, version=0.4.0],
[id=pscanrules, version=58.0.0], [id=pscanrulesBeta,
version=38.0.0], [id=quickstart, version=47.0.0],
[id=replacer, version=17.0.0], [id=reports, version=0.32.0],
[id=requester, version=7.6.0], [id=retest, version=0.9.0],
[id=retire, version=0.35.0], [id=reveal, version=8.0.0],
[id=scripts, version=45.3.0], [id=selenium,
version=15.23.0], [id=sequence, version=8.0.0], [id=soap,
version=23.0.0], [id=spider, version=0.11.0],
[id=spiderAjax, version=23.19.0], [id=tips, version=13.0.0],
[id=webdriverlinux, version=82.0.0], [id=webdrivermacos,
version=82.0.0], [id=webdriverwindows, version=82.0.0],
[id=websocket, version=31.0.0], [id=zest, version=45.0.0]]Operating System: Linux
Architecture: amd64
CPU Cores: 1
Max Memory: 1 GB
Java Version: Debian 21.0.2
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: /home/username/.ZAP_D/
ZAP Installation Directory: /home/username/ZAP_D-2024-04-29/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
from zaproxy.
thc202
commented on June 11, 2024
I'm seeing the alert details with latest version. Could you provide more details on how to reproduce that?
from zaproxy.
guoqi1234512
commented on June 11, 2024
Why did I not have a quick start when installing zap2.14 for Win10
from zaproxy.
thc202
commented on June 11, 2024
Please use the ZAP User Group for questions: https://groups.google.com/g/zaproxy-users
from zaproxy.
GunoH
commented on June 11, 2024
Update:
Other templates, such as Modern HTML Report with themes and options, do include the details (that one is actually 150 mb) where Risk and Confidence HTML does not (39 kb).
I still have to find the time to come up with a way to reproduce the issue without disclosing too much of our company data. That might take some more days.
from zaproxy.
thc202
commented on June 11, 2024
The problem is not with the reports but alerts raised on temporary messages, which get removed when the session is closed.
from zaproxy.
thc202
commented on June 11, 2024
If you can use a weekly and enable debug log for org.zaproxy.zap.extension.alert.ExtensionAlert it would provide the necessary details.
from zaproxy.
thc202
commented on June 11, 2024
No debug entries with Attempting to create an alert...?
from zaproxy.
GunoH
commented on June 11, 2024
Nope, no such entries.
$ grep -i extensionalert .ZAP_D/zap.log | wc -l
371
$ grep -i attempting .ZAP_D/zap.log | wc -l
0
from zaproxy.
kingthorin
commented on June 11, 2024
Can you persist/save the session zip it up and attach it here?
from zaproxy.
thc202
commented on June 11, 2024
A reopened session does not reproduce the issue though.
from zaproxy.
kingthorin
commented on June 11, 2024
Oh okay, disregard.
from zaproxy.
Related Issues (20)
- Separate nodes for multipart/form-data POSTs to same URL with different parameters
- ZAP should display popup message when autoscan complete HOT 5
- issue when installing the new version HOT 9
- Getting High Alert ("SQL injection may be possible"), whie we are not using sql in the application. HOT 7
- ZAP ascanrules plugin detected by Bitdefender as trojan when starting on Windows 10 x64 HOT 1
- OpenAPI Import vnd.api+json support HOT 1
- ZAP 2.15.0 installer (Windows x64) detected as malicious by Microsoft Defender Antivirus HOT 17
- The default view of opening fuzzer window, can not add locations HOT 3
- ZAP crashed when autoscanning specific site on Windows 10 x64 HOT 4
- Certificate regeneration has problem with local servers, NPE in ExtensionNetwork.java line 1151 HOT 2
- HAR import fails silently HOT 7
- Heartfelt thank you HOT 3
- False Positive - Cookie Slack Detector
- false positive of sql Injection
- Unable to generate the report HOT 4
- Provided browser was not found error in ZAP. HOT 1
- ZAP creates an incorrect Authorization header when testing APIs HOT 7
- Failed to attack URL error appeared during autoscan specific site HOT 5
- UI search not highlighting correctly HOT 2
- False Positive results due to receiving a successful response HTTP/1.1 200 OK HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zaproxy.