Skip to content

Instantly share code, notes, and snippets.

@hexrom

hexrom/zap-template.yaml

Created July 12, 2022 00:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hexrom/c35a5238c144c408c16ee17adb839ba2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hexrom/c35a5238c144c408c16ee17adb839ba2 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @kmcquade kmcquade revised this gist Jun 10, 2021. 1 changed file with 109 additions and 0 deletions.
    109 changes: 109 additions & 0 deletions zap-template.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,109 @@
    --- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
    env: # The environment, mandatory
    contexts: # List of 1 or more contexts, mandatory
    - name: context 1 # Name to be used to refer to this context in other jobs, mandatory
    url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
    includePaths: # TBA: An optional list of regexes to include
    excludePaths: # TBA: An optional list of regexes to exclude
    authentication: # TBA: In time to cover all auth configs
    parameters:
    failOnError: true # If set exit on an error
    failOnWarning: false # If set exit on a warning
    progressToStdout: true # If set will write job progress to stdout

    jobs:
    - type: addOns # Add-on management
    parameters:
    updateAddOns: true # Update any add-ons that have new versions
    install: # A list of non standard add-ons to install from the ZAP Marketplace
    - ascanrules
    - ascanrulesAlpha
    - ascanrulesBeta
    - pscanrulesBeta
    - pscanrulesAlpha
    - automation
    - domxss
    - graphql
    - openapi
    - reflect
    - reports
    - soap
    - spiderAjax
    uninstall: # A list of standard add-ons to uninstall
    - type: passiveScan-config # Passive scan configuration
    parameters:
    maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule
    scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended)
    maxBodySizeInBytesToScan: # Int: Maximum body size to scan, default: 0 - will scan all messages
    rules: # A list of one or more passive scan rules and associated settings which override the defaults
    - id: None

    - type: spider # The traditional spider - fast but doesnt handle modern apps so well
    parameters:
    context: # String: Name of the context to spider, default: first context
    url: # String: Url to start spidering from, default: first context URL
    failIfFoundUrlsLessThan: # Int: Fail if spider finds less than the specified number of URLs, default: 0
    warnIfFoundUrlsLessThan: # Int: Warn if spider finds less than the specified number of URLs, default: 0
    maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
    maxDepth: # Int: The maximum tree depth to explore, default 5
    maxChildren: # Int: The maximum number of children to add to each node in the tree
    acceptCookies: # Bool: Whether the spider will accept cookies, default: true
    handleODataParametersVisited: # Bool: Whether the spider will handle OData responses, default: false
    handleParameters: # Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
    maxParseSizeBytes: # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
    parseComments: # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
    parseGit: # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
    parseRobotsTxt: # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
    parseSitemapXml: # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
    parseSVNEntries: # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
    postForm: # Bool: Whether the spider will submit POST forms, default: true
    processForm: # Bool: Whether the spider will process forms, default: true
    requestWaitTime: # Int: The time between the requests sent to a server in milliseconds, default: 200
    sendRefererHeader: # Bool: Whether the spider will send the referer header, default: true
    threadCount: # Int: The number of spider threads, default: 2
    userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
    - type: passiveScan-wait # Passive scan wait for the passive scanner to finish
    parameters:
    maxDuration: 1 # Int: The max time to wait for the passive scanner, default: 0 unlimited
    - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
    parameters:
    context: # String: Name of the context to attack, default: first context
    policy: # String: Name of the scan policy to be used, default: Default Policy
    maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
    maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
    addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false
    defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
    delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
    handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
    injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
    scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
    threadPerHost: # Int: The max number of threads per host, default: 2
    policyDefinition: # The policy definition - only used if the 'policy' is not set
    defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
    defaultThreshold: Off # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
    rules: # A list of one or more active scan rules and associated settings which override the defaults
    - id: 20012
    threshold: Medium
    strength: Medium

    - type: report # Report generation
    parameters:
    template: # String: The template id, default : traditional-html
    reportDir: /tmp/zap/ # String: The directory into which the report will be written
    reportFile: # String: The report file name pattern, default: {yyyy-MM-dd}-ZAP-Report-[[site]]
    reportTitle: # String: The report title
    reportDescription: # String: The report description
    displayReport: # Boolean: Display the report when generated, default: false
    risks: # List: The risks to include in this report, default all
    - high
    - medium
    - low
    - info

    confidences: # List: The confidences to include in this report, default all
    - high
    - medium
    - low
    - falsepositive

    sections: # List: The template sections to include in this report - see the relevant template, default all
  2. @kmcquade kmcquade created this gist Jun 10, 2021.
    233 changes: 233 additions & 0 deletions zap.log
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,233 @@
    2021-06-10 15:54:01,240 [main ] INFO Constant - Copying default configuration to /tmp/zap/config.xml
    2021-06-10 15:54:01,445 [main ] INFO Constant - Creating directory /tmp/zap/session
    2021-06-10 15:54:01,450 [main ] INFO Constant - Creating directory /tmp/zap/dirbuster
    2021-06-10 15:54:01,454 [main ] INFO Constant - Creating directory /tmp/zap/fuzzers
    2021-06-10 15:54:01,458 [main ] INFO Constant - Creating directory /tmp/zap/plugin
    2021-06-10 15:54:01,533 [main ] INFO CommandLineBootstrap - OWASP ZAP D-2021-05-03 started 10/06/2021, 15:54:01 with home /tmp/zap/
    2021-06-10 15:54:01,594 [main ] INFO SSLConnector - Reading supported SSL/TLS protocols...
    2021-06-10 15:54:01,595 [main ] INFO SSLConnector - Using a SSLEngine...
    2021-06-10 15:54:01,690 [main ] INFO SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
    2021-06-10 15:54:01,695 [main ] INFO OptionsParamCertificate - Unsafe SSL renegotiation disabled.
    2021-06-10 15:54:02,238 [main ] INFO ENGINE - dataFileCache open start
    2021-06-10 15:54:02,262 [main ] INFO ENGINE - dataFileCache commit start
    2021-06-10 15:54:02,268 [main ] INFO ENGINE - dataFileCache commit end
    2021-06-10 15:54:02,270 [main ] INFO ENGINE - dataFileCache open end
    2021-06-10 15:54:02,343 [main ] INFO ExtensionFactory - Loading extensions
    2021-06-10 15:54:55,797 [main ] INFO ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=11.0.0], [id=ascanrules, version=39.0.0], [id=ascanrulesBeta, version=34.0.0], [id=automation, version=0.3.0], [id=bruteforce, version=11.0.0], [id=commonlib, version=1.3.0], [id=coreLang, version=14.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=11.0.0], [id=encoder, version=0.6.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.2.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.4.0], [id=help, version=12.0.0], [id=hud, version=0.13.0], [id=importurls, version=8.0.0], [id=invoke, version=11.0.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=19.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=34.0.0], [id=pscanrulesBeta, version=25.0.0], [id=quickstart, version=30.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.3.0], [id=retire, version=0.8.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=6.0.0], [id=savexmlmessage, version=0.2.0], [id=scripts, version=29.0.0], [id=selenium, version=15.4.0], [id=sequence, version=6.0.0], [id=soap, version=7.0.0], [id=spiderAjax, version=23.4.0], [id=tips, version=8.0.0], [id=webdriverlinux, version=29.0.0], [id=webdrivermacos, version=29.0.0], [id=webdriverwindows, version=29.0.0], [id=websocket, version=24.0.0], [id=zest, version=35.0.0]]
    2021-06-10 15:54:56,620 [main ] INFO ExtensionFactory - Extensions loaded
    2021-06-10 15:54:56,934 [main ] INFO ExtensionLoader - Initializing Allows ZAP to check for updates
    2021-06-10 15:54:56,939 [main ] INFO ExtensionLoader - Initializing Options Extension
    2021-06-10 15:54:56,941 [main ] INFO ExtensionLoader - Initializing Edit Menu Extension
    2021-06-10 15:54:56,942 [main ] INFO ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
    2021-06-10 15:54:56,952 [main ] INFO ExtensionLoader - Initializing Session State Extension
    2021-06-10 15:54:56,954 [main ] INFO ExtensionLoader - Initializing Report Extension
    2021-06-10 15:54:56,955 [main ] INFO ExtensionLoader - Initializing History Extension
    2021-06-10 15:54:56,958 [main ] INFO ExtensionLoader - Initializing Show hidden fields and enable disabled fields
    2021-06-10 15:54:56,960 [main ] INFO ExtensionLoader - Initializing Search messages for strings and regular expressions
    2021-06-10 15:54:56,962 [main ] INFO ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
    2021-06-10 15:54:56,965 [main ] INFO ExtensionLoader - Initializing Passive scanner
    2021-06-10 15:54:57,044 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
    2021-06-10 15:54:57,046 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
    2021-06-10 15:54:57,047 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
    2021-06-10 15:54:57,048 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
    2021-06-10 15:54:57,049 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control Header Set
    2021-06-10 15:54:57,050 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
    2021-06-10 15:54:57,052 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: CSP
    2021-06-10 15:54:57,053 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
    2021-06-10 15:54:57,054 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
    2021-06-10 15:54:57,055 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
    2021-06-10 15:54:57,056 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute
    2021-06-10 15:54:57,057 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
    2021-06-10 15:54:57,058 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
    2021-06-10 15:54:57,058 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
    2021-06-10 15:54:57,059 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
    2021-06-10 15:54:57,060 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
    2021-06-10 15:54:57,061 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
    2021-06-10 15:54:57,063 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
    2021-06-10 15:54:57,063 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
    2021-06-10 15:54:57,064 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
    2021-06-10 15:54:57,065 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
    2021-06-10 15:54:57,066 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
    2021-06-10 15:54:57,067 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
    2021-06-10 15:54:57,068 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
    2021-06-10 15:54:57,069 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
    2021-06-10 15:54:57,070 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
    2021-06-10 15:54:57,071 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Viewstate
    2021-06-10 15:54:57,072 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
    2021-06-10 15:54:57,073 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
    2021-06-10 15:54:57,073 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
    2021-06-10 15:54:57,074 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header
    2021-06-10 15:54:57,075 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
    2021-06-10 15:54:57,076 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
    2021-06-10 15:54:57,078 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
    2021-06-10 15:54:57,079 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
    2021-06-10 15:54:57,080 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
    2021-06-10 15:54:57,081 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
    2021-06-10 15:54:57,081 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
    2021-06-10 15:54:57,082 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
    2021-06-10 15:54:57,083 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
    2021-06-10 15:54:57,084 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
    2021-06-10 15:54:57,085 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
    2021-06-10 15:54:57,086 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
    2021-06-10 15:54:57,087 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
    2021-06-10 15:54:57,088 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
    2021-06-10 15:54:57,089 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
    2021-06-10 15:54:57,090 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
    2021-06-10 15:54:57,091 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
    2021-06-10 15:54:57,092 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
    2021-06-10 15:54:57,093 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
    2021-06-10 15:54:57,094 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
    2021-06-10 15:54:57,095 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Open Redirect
    2021-06-10 15:54:57,096 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
    2021-06-10 15:54:57,097 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
    2021-06-10 15:54:57,127 [main ] INFO ExtensionLoader - Initializing Allows you to view and manage alerts
    2021-06-10 15:54:57,130 [main ] INFO ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
    2021-06-10 15:54:57,138 [main ] INFO ExtensionLoader - Initializing ExtensionSequence
    2021-06-10 15:54:57,140 [main ] INFO ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
    2021-06-10 15:54:57,146 [main ] INFO ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
    2021-06-10 15:54:57,148 [main ] INFO ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
    2021-06-10 15:54:57,152 [main ] INFO ExtensionLoader - Initializing Simple but effective port scanner
    2021-06-10 15:54:57,155 [main ] INFO ExtensionLoader - Initializing Manual Request Editor Extension
    2021-06-10 15:54:57,156 [main ] INFO ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
    2021-06-10 15:54:57,160 [main ] INFO ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
    2021-06-10 15:54:57,164 [main ] INFO ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
    2021-06-10 15:54:57,174 [main ] INFO ExtensionLoader - Initializing Authentication Extension
    2021-06-10 15:54:57,203 [main ] INFO ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
    2021-06-10 15:54:57,238 [main ] INFO ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
    2021-06-10 15:54:57,240 [main ] INFO ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
    2021-06-10 15:54:57,241 [main ] INFO ExtensionLoader - Initializing Users Extension
    2021-06-10 15:54:57,246 [main ] INFO ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
    2021-06-10 15:54:57,248 [main ] INFO ExtensionLoader - Initializing Script integration
    2021-06-10 15:54:57,255 [main ] INFO ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
    2021-06-10 15:54:57,425 [main ] INFO ExtensionLoader - Initializing Forced User Extension
    2021-06-10 15:54:57,427 [main ] INFO ExtensionLoader - Initializing Extension handling HTTP sessions
    2021-06-10 15:54:57,430 [main ] INFO ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
    2021-06-10 15:54:57,870 [main ] INFO ExtensionLoader - Initializing ExtensionDiff
    2021-06-10 15:54:57,871 [main ] INFO ExtensionLoader - Initializing HTTP Panel Post Table View Extension
    2021-06-10 15:54:57,873 [main ] INFO ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
    2021-06-10 15:54:57,875 [main ] INFO ExtensionLoader - Initializing Simple browser configuration
    2021-06-10 15:54:57,876 [main ] INFO ExtensionLoader - Initializing Session Management Extension
    2021-06-10 15:54:57,902 [main ] INFO ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
    2021-06-10 15:54:57,907 [main ] INFO ExtensionLoader - Initializing HTTP Panel Form Table View Extension
    2021-06-10 15:54:57,909 [main ] INFO ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
    2021-06-10 15:54:57,948 [main ] INFO ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
    2021-06-10 15:54:57,953 [main ] INFO ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
    2021-06-10 15:54:57,961 [main ] INFO ExtensionLoader - Initializing Core UI related functionality.
    2021-06-10 15:54:57,962 [main ] INFO ExtensionLoader - Initializing Authorization Extension
    2021-06-10 15:54:57,964 [main ] INFO ExtensionLoader - Initializing AJAX Spider, uses Crawljax
    2021-06-10 15:54:57,970 [main ] INFO ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
    2021-06-10 15:54:57,993 [main ] INFO ExtensionLoader - Initializing Manages the local proxy configurations
    2021-06-10 15:54:57,996 [main ] INFO ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications.
    2021-06-10 15:54:58,000 [main ] INFO ExtensionLoader - Initializing Handles adding Global Excluded URLs
    2021-06-10 15:54:58,002 [main ] INFO ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
    2021-06-10 15:54:58,003 [main ] INFO ExtensionLoader - Initializing OWASP ZAP User Guide
    2021-06-10 15:54:58,005 [main ] INFO ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
    2021-06-10 15:54:58,009 [main ] INFO ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
    2021-06-10 15:54:58,010 [main ] INFO ExtensionLoader - Initializing Combined HTTP Panels Extension
    2021-06-10 15:54:58,011 [main ] INFO ExtensionLoader - Initializing HTTP Panel Hex View Extension
    2021-06-10 15:54:58,012 [main ] INFO ExtensionLoader - Initializing HTTP Panel Image View Extension
    2021-06-10 15:54:58,013 [main ] INFO ExtensionLoader - Initializing HTTP Panel Large Request View Extension
    2021-06-10 15:54:58,016 [main ] INFO ExtensionLoader - Initializing HTTP Panel Large Response View Extension
    2021-06-10 15:54:58,017 [main ] INFO ExtensionLoader - Initializing HTTP Panel Query Table View Extension
    2021-06-10 15:54:58,018 [main ] INFO ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
    2021-06-10 15:54:58,019 [main ] INFO ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
    2021-06-10 15:54:58,020 [main ] INFO ExtensionLoader - Initializing Active and passive rule configuration
    2021-06-10 15:54:58,027 [main ] INFO ExtensionLoader - Initializing Statistics
    2021-06-10 15:54:58,029 [main ] INFO ExtensionStats - Start recording in memory stats
    2021-06-10 15:54:58,032 [main ] INFO ExtensionLoader - Initializing Custom Pages Definition
    2021-06-10 15:54:58,034 [main ] INFO ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.
    2021-06-10 15:54:58,042 [main ] INFO ExtensionLoader - Initializing GraphQL Automation Framework Integration
    2021-06-10 15:54:58,046 [main ] INFO ExtensionLoader - Initializing Easy way to replace strings in requests and responses
    2021-06-10 15:54:58,056 [main ] INFO ExtensionLoader - Initializing Context alert rules filter
    2021-06-10 15:54:58,061 [main ] INFO ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
    2021-06-10 15:54:58,067 [main ] INFO ExtensionLoader - Initializing Allows to fuzz HTTP messages.
    2021-06-10 15:54:58,070 [main ] INFO ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
    2021-06-10 15:54:58,073 [main ] INFO ExtensionLoader - Initializing Ajax Spider Automation Framework Integration
    2021-06-10 15:54:58,076 [main ] INFO ExtensionLoader - Initializing Passive Scan Rules
    2021-06-10 15:54:58,077 [main ] INFO ExtensionLoader - Initializing SOAP Automation Framework Integration
    2021-06-10 15:54:58,080 [main ] INFO ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
    2021-06-10 15:54:58,085 [main ] INFO ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
    2021-06-10 15:54:58,097 [main ] INFO ExtensionLoader - Initializing Launch browsers proxying through ZAP
    2021-06-10 15:54:58,104 [main ] INFO ExtensionLoader - Initializing Launch browsers proxying through ZAP
    2021-06-10 15:54:58,112 [main ] INFO ExtensionLoader - Initializing Active Scan Rules
    2021-06-10 15:54:58,115 [main ] INFO ExtensionLoader - Initializing The ZAP Getting Started Guide
    2021-06-10 15:54:58,117 [main ] INFO ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
    2021-06-10 15:54:58,124 [main ] INFO ExtensionLoader - Initializing Automation Framework
    2021-06-10 15:54:58,126 [main ] INFO ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
    2021-06-10 15:54:58,145 [main ] INFO ExtensionLoader - Initializing OpenAPI Automation Framework Integration
    2021-06-10 15:54:58,148 [main ] INFO ExtensionLoader - Initializing The Online menu links
    2021-06-10 15:54:58,149 [main ] INFO ExtensionLoader - Initializing Report Generation
    2021-06-10 15:54:58,153 [main ] INFO ExtensionLoader - Initializing Report Generation Automation Integration
    2021-06-10 15:54:58,157 [main ] INFO ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
    2021-06-10 15:54:58,159 [main ] INFO ExtensionLoader - Initializing Heads Up Display
    2021-06-10 15:54:58,584 [main ] INFO ExtensionLoader - Initializing ExtensionHUDlaunch
    2021-06-10 15:54:58,587 [main ] INFO ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
    2021-06-10 15:54:58,588 [main ] INFO ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.
    2021-06-10 15:54:59,737 [main ] INFO ExtensionLoader - Initializing Translations of the core language files
    2021-06-10 15:54:59,739 [main ] INFO ExtensionLoader - Initializing Passive Scan Rules - beta
    2021-06-10 15:54:59,741 [main ] INFO ExtensionLoader - Initializing DOM XSS Active Scan Rule
    2021-06-10 15:54:59,878 [main ] INFO ExtensionLoader - Initializing Active Scan Rules - beta
    2021-06-10 15:54:59,880 [main ] INFO ExtensionLoader - Initializing Tips and Tricks
    2021-06-10 15:55:00,029 [main ] INFO ExtensionCallback - Started callback server on 0.0.0.0:37069
    2021-06-10 15:55:00,037 [main ] INFO ExtensionDynSSL - Creating new root CA certificate
    2021-06-10 15:55:01,309 [main ] INFO ExtensionDynSSL - New root CA certificate created
    2021-06-10 15:55:01,493 [main ] INFO CommandLine - Job addOns set updateAddOns = true
    2021-06-10 15:55:01,495 [main ] INFO CommandLine - Job addOns started
    2021-06-10 15:55:02,527 [main ] INFO ExtensionAutoUpdate - There is/are 1 newer addons
    2021-06-10 15:55:12,934 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Installing new addon reports v0.3.0
    2021-06-10 15:55:13,332 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Finished installing new addon reports v0.3.0
    2021-06-10 15:55:13,397 [main ] INFO CommandLine - Add-on downloaded to: /tmp/zap/plugin/reports-beta-0.3.0.zap
    2021-06-10 15:55:13,399 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/ascanrules-release-39.zap
    2021-06-10 15:55:13,405 [main ] INFO CommandLine - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesAlpha-v30/ascanrulesAlpha-alpha-30.zap
    2021-06-10 15:55:13,408 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/ascanrulesBeta-beta-34.zap
    2021-06-10 15:55:13,410 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/pscanrulesBeta-beta-25.zap
    2021-06-10 15:55:13,415 [main ] INFO CommandLine - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesAlpha-v30/pscanrulesAlpha-alpha-30.zap
    2021-06-10 15:55:13,417 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/automation-alpha-0.3.0.zap
    2021-06-10 15:55:13,419 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/domxss-beta-11.zap
    2021-06-10 15:55:13,421 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/graphql-alpha-0.4.0.zap
    2021-06-10 15:55:13,423 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/openapi-beta-19.zap
    2021-06-10 15:55:13,426 [main ] INFO CommandLine - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/2.7/reflect-alpha-0.0.11.zap
    2021-06-10 15:55:13,428 [main ] INFO CommandLine - Add-on already installed: /tmp/zap/plugin/reports-beta-0.3.0.zap
    2021-06-10 15:55:13,430 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/soap-alpha-7.zap
    2021-06-10 15:55:13,431 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/spiderAjax-release-23.4.0.zap
    2021-06-10 15:55:16,126 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Installing new addon ascanrulesAlpha v30.0.0
    2021-06-10 15:55:16,222 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Finished installing new addon ascanrulesAlpha v30.0.0
    2021-06-10 15:55:16,227 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Installing new addon pscanrulesAlpha v30.0.0
    2021-06-10 15:55:16,251 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Base64 Disclosure
    2021-06-10 15:55:16,253 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Content Cacheability
    2021-06-10 15:55:16,255 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: An example passive scan rule which loads data from a file.
    2021-06-10 15:55:16,257 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Example Passive Scan Rule: Denial of Service
    2021-06-10 15:55:16,258 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Feature Policy Header Not Set
    2021-06-10 15:55:16,260 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: In Page Banner Information Leak
    2021-06-10 15:55:16,261 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Dangerous JS Functions
    2021-06-10 15:55:16,262 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Java Serialization Object
    2021-06-10 15:55:16,264 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Insufficient Site Isolation Against Spectre Vulnerability
    2021-06-10 15:55:16,266 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Source Code Disclosure
    2021-06-10 15:55:16,267 [ZAP-DownloadInstaller] INFO ExtensionPassiveScan - loaded passive scan rule: Sub Resource Integrity Attribute Missing
    2021-06-10 15:55:16,283 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Finished installing new addon pscanrulesAlpha v30.0.0
    2021-06-10 15:55:16,293 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Installing new addon reflect v0.0.11
    2021-06-10 15:55:16,316 [ZAP-DownloadInstaller] INFO ExtensionAutoUpdate - Finished installing new addon reflect v0.0.11
    2021-06-10 15:55:16,405 [main ] INFO CommandLine - Add-on downloaded to: /tmp/zap/plugin/reports-beta-0.3.0.zap
    2021-06-10 15:55:16,407 [main ] INFO CommandLine - Add-on downloaded to: /tmp/zap/plugin/ascanrulesAlpha-alpha-30.zap
    2021-06-10 15:55:16,408 [main ] INFO CommandLine - Add-on downloaded to: /tmp/zap/plugin/pscanrulesAlpha-alpha-30.zap
    2021-06-10 15:55:16,410 [main ] INFO CommandLine - Add-on downloaded to: /tmp/zap/plugin/reflect-alpha-0.0.11.zap
    2021-06-10 15:55:16,411 [main ] INFO CommandLine - Job addOns finished
    2021-06-10 15:55:16,413 [main ] INFO CommandLine - Job passiveScan-config set maxAlertsPerRule = 10
    2021-06-10 15:55:16,415 [main ] INFO CommandLine - Job passiveScan-config set scanOnlyInScope = true
    2021-06-10 15:55:16,416 [main ] INFO CommandLine - Job passiveScan-config started
    2021-06-10 15:55:16,419 [main ] ERROR ExtensionAutomation - class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap')
    java.lang.ClassCastException: class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap')
    at org.zaproxy.addon.automation.jobs.PassiveScanConfigJob.runJob(PassiveScanConfigJob.java:62) ~[automation-alpha-0.3.0.zap:?]
    at org.zaproxy.addon.automation.ExtensionAutomation.runPlan(ExtensionAutomation.java:218) ~[automation-alpha-0.3.0.zap:?]
    at org.zaproxy.addon.automation.ExtensionAutomation.runAutomation(ExtensionAutomation.java:233) ~[automation-alpha-0.3.0.zap:?]
    at org.zaproxy.addon.automation.ExtensionAutomation.runAutomationFile(ExtensionAutomation.java:244) [automation-alpha-0.3.0.zap:?]
    at org.zaproxy.addon.automation.ExtensionAutomation.execute(ExtensionAutomation.java:345) [automation-alpha-0.3.0.zap:?]
    at org.parosproxy.paros.extension.ExtensionLoader.runCommandLine(ExtensionLoader.java:552) [zap-D-2021-05-03.jar:D-2021-05-03]
    at org.parosproxy.paros.control.Control.runCommandLine(Control.java:399) [zap-D-2021-05-03.jar:D-2021-05-03]
    at org.zaproxy.zap.CommandLineBootstrap.start(CommandLineBootstrap.java:85) [zap-D-2021-05-03.jar:D-2021-05-03]
    at org.zaproxy.zap.ZAP.main(ZAP.java:131) [zap-D-2021-05-03.jar:D-2021-05-03]
    2021-06-10 15:55:16,428 [main ] ERROR CommandLine - Unexpected error accessing file /tmp/zap/zap-template.yaml : class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap') - see log for details
    2021-06-10 15:55:17,457 [main ] INFO ENGINE - dataFileCache commit start
    2021-06-10 15:55:17,463 [main ] INFO ENGINE - dataFileCache commit end
    2021-06-10 15:55:17,492 [main ] INFO ENGINE - Database closed
    2021-06-10 15:55:17,621 [main ] INFO CommandLineBootstrap - OWASP ZAP D-2021-05-03 terminated.