zaproxy icon indicating copy to clipboard operation
zaproxy copied to clipboard
verified publisher icon zaproxy

Passive scan results might leak into a different session with slow scan rules

Open JuraLys opened this issue 2 years ago • 14 comments

Describe the bug

ZAP doesn't clear Sites list sometimes after creating new session without persist previous

Steps to reproduce the behavior

Run ZAP and complete autoscan ain.ua site Generate report and create new session without persist previous Observe Sites list in UI, see screenshot

Expected behavior

ZAP should clear Sites list after creating new session without persist previous

Software versions

ZAP Version: 2.14.0

Installed Add-ons: [[id=alertFilters, version=19.0.0], [id=ascanrulesBeta, version=48.0.0], [id=authhelper, version=0.10.0], [id=automation, version=0.34.0], [id=bruteforce, version=15.0.0], [id=callhome, version=0.10.0], [id=commonlib, version=1.18.0], [id=coreLang, version=15.0.0], [id=custompayloads, version=0.13.0], [id=database, version=0.3.0], [id=diff, version=14.0.0], [id=directorylistv1, version=7.0.0], [id=directorylistv2_3, version=4.0.0], [id=directorylistv2_3_lc, version=4.0.0], [id=domxss, version=18.0.0], [id=encoder, version=1.4.0], [id=formhandler, version=6.5.0], [id=fuzz, version=13.12.0], [id=fuzzdboffensive, version=4.0.0], [id=gettingStarted, version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql, version=0.21.0], [id=help, version=17.0.0], [id=hud, version=0.18.0], [id=invoke, version=14.0.0], [id=network, version=0.12.0], [id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0], [id=openapi, version=38.0.0], [id=portscan, version=10.0.0], [id=postman, version=0.2.0], [id=pscanrules, version=53.0.0], [id=pscanrulesBeta, version=35.0.0], [id=quickstart, version=43.0.0], [id=replacer, version=16.0.0], [id=reports, version=0.26.0], [id=requester, version=7.4.0], [id=retest, version=0.8.0], [id=retire, version=0.26.0], [id=reveal, version=7.0.0], [id=scripts, version=44.0.0], [id=selenium, version=15.15.0], [id=soap, version=20.0.0], [id=spider, version=0.7.0], [id=spiderAjax, version=23.18.0], [id=sqliplugin, version=15.0.0], [id=svndigger, version=4.0.0], [id=tips, version=12.0.0], [id=tokengen, version=15.0.0], [id=wappalyzer, version=21.28.0], [id=webdriverwindows, version=67.0.0], [id=websocket, version=30.0.0], [id=zest, version=42.0.0]]

Operating System: Windows 10 Architecture: amd64 Java Version: Eclipse Adoptium 21.0.1 System's Locale: uk_UA Display Locale: en_GB Format Locale: uk_UA Default Charset: UTF-8 ZAP Home Directory: C:\Users\Admin\ZAP
ZAP Installation Directory: C:\Program Files\ZAP\Zed Attack Proxy.
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

ZAP-sites-after-new-session

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

  • [X] Yes

JuraLys avatar Dec 28 '23 11:12 JuraLys

@JuraLys did you open a browser via ZAP? If a browser is openned in one session and not closed then it may well make background requests to the new session. This would be expected.

psiinon avatar Dec 28 '23 14:12 psiinon

That would include something not successfully cleaned up or killed by the AJAX spider or DOM XSS rule.

kingthorin avatar Dec 28 '23 14:12 kingthorin

reproduced again, see image java-trace-after-new-session.txt

JuraLys avatar Dec 28 '23 16:12 JuraLys

@JuraLys but are you going to answer the question? 😁 If a browser has been launched in the old session and is still active then this is expected.

psiinon avatar Dec 28 '23 16:12 psiinon

I did not open a browser via ZAP.

JuraLys avatar Dec 28 '23 17:12 JuraLys

@JuraLys Did you run the AJAX Spider or Active Scan?

psiinon avatar Dec 28 '23 17:12 psiinon

I run autoscan with traditional Spider.

JuraLys avatar Dec 28 '23 17:12 JuraLys

So its most likely to be the DOM XSS rule being run by the Active Scanner then. How easy is it to reproduce? If its not too hard then try checking if any headless browsers are open before starting a new session. I would expect at least one to be running if you see this problem once the new session has started.

psiinon avatar Dec 28 '23 17:12 psiinon

What means headless browsers? I run only different GUI browsers like Chrome, Firefox, Opera...

JuraLys avatar Dec 28 '23 19:12 JuraLys

Both the AJAX Spider and DOM XSS scan rule launch browsers. By default they will use firefox-headless but you can change that.

However this line after the new session was pointed out to me "Passive Scan rule Cross-Domain JavaScript Source File Inclusion took 31 seconds to scan" So its actually the passive scan rule which is still running, which means that something is not being completely shut down when the session changes.

psiinon avatar Dec 29 '23 10:12 psiinon

Issue title updated.

thc202 avatar Jan 01 '24 08:01 thc202

one more log java-trace-after-new-session2.txt

JuraLys avatar Jan 06 '24 15:01 JuraLys

ZAP UI respond very slow after autoscan was completed, it is hard to create new session( ZAP-gui-hang-after-scan.txt ZAP-gui-hang-after-scan2.txt ZAP-gui-hang-after-scan3.txt

JuraLys avatar Jan 07 '24 08:01 JuraLys