Rick M
I'm not going to be able to review this for a few weeks due to work and just life stuff. Please know it's appreciated and I'm not ignoring it.
Could you check another Java based app, then we'll know if it's a JVM issue or ZAP issue.
Do we claim to support 3.1 somewhere? I'm pretty sure no one has tackled that yet. Edit: Actually the add-on seems to specifically document 1.2, 2.0, and 3.0. https://www.zaproxy.org/docs/desktop/addons/openapi-support/ >...
Code ref: - https://github.com/zaproxy/zap-extensions/tree/50308581f0cc2f27e3f735d75d9d8be29d2d347d/addOns/exim/src/main/java/org/zaproxy/addon/exim/urls
Ummm you seem to be leaking passwords in cookies.
The issue here is more that an empty response is triggering the alert. Any status code could still be leaking the actual info, non-compliant behaviour is seen all the time.
You seem to have header injection enabled. So this occurred when comparing the differences between the original, and injected value, and a control value when manipulating the request's `host` header....
It's likely a false positive due to unhandled empty response (in the scan rule).
Some adjustments are coming to prevent this in the future.
Great work!