Describe the bug After doing scans and collecting info on site, it detected 'Application Error Disclosure' (6). Upon expanding and clicking on a link (javascript file, can't tell how large), it's instantly freezes and nothing else can be done (it may recover after a few minutes wait). In other parts of app, I've seen the "Very large response body (xxx bytes) - switch views..." warning, but not in this situation. I have to do a 'killall java' to exit the app and restart.

On occasion, it will recover after a few minutes, but the app moves slow so I just restart it. When it does recover, the response is unintelligible (see screenshot) and navigating around is slow.

To Reproduce Steps to reproduce the behavior:

1. Have JS file (size?) in Alert, Application Error Disclosure
2. Click on link.
3. App freezes instantly or moves slow.

Expected behavior To see the Request and Response data of the alert.

Screenshots ##Click on the 'GET:https://xx/build/js/app.js?v=... ##Screen freezes, switching desktop and back shows gray app ##If it does recover, Response window looks like

Software versions

• ZAP: 2.8.1
• OS: BlackArch 5.4.6 x86_64
• Java: openjdk 13.0.1
• Hardware: Happens on both VirtualBox and HD install on laptop.

Errors from the zap.log file Will update, don't have currently.

Additional context Add any other context about the problem here.

It would be nice for appearance for the program

Updating to make this into a tracker:

• [x] Add FlatLaf to core
• [x] Fix splash screen (Make the tips panel slightly smaller and move it down slightly so that the bottom panel only shows 5 lines [at default font settings/lang]?) [This screenshot is shrunk to 75% for ticket inclusion]

• [x] Fix Quick start panel
• [x] Fix Request / response / break panels
• [x] Fix manual request dialog
• [x] Fix WebSocket message editor
• [x] Fix script console
• [x] Fix About screen
• [x] Fix Java help pages
• [x] Fix Encode/decode/hash (black text)
• [x] Fix Options / Check For Updates (black text)
• [x] Fix Options headings:

• Highlight contrast concerns:
  • [x] https://github.com/zaproxy/zaproxy/issues/5542#issuecomment-591419439 > Options Panel(s) Search Highlighting (Reference: https://github.com/zaproxy/zaproxy/pull/4141/) (Done in: https://github.com/zaproxy/zaproxy/pull/6328)
  • [x] Find Dialog Highlighting (CTRL + F) (Done in: https://github.com/zaproxy/zaproxy/pull/6328)
  • [x] https://github.com/zaproxy/zaproxy/issues/5542#issuecomment-643019236 > Highlighting in request/response panels, as a result of Alert highlighting or Search tab highlighting (it's more 'white' than the normal click & drag highlight) (Done in: https://github.com/zaproxy/zaproxy/pull/6329)
• [x] Active Scan progress dialog: https://github.com/zaproxy/zaproxy/issues/5542#issuecomment-606977117 (Done in: https://github.com/zaproxy/zaproxy/pull/6262)

Add anything else you find above...

Describe the bug log4j 2.15.x does not fully solve it – see https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/:

Log4j 2.16.0 completely mitigates this issue by removing support for message lookup patterns and disabling JNDI functionality by default

Software versions

• ZAP: 2.11.1

jenkins_logs.txt Logs attached Debug mode is on already. Looking for suggestions.

Issue: Jenkins plugin become unresponsive while running the zap and failed after a while.

Adding GUI Component "New issues" to ActiveScanPanel (reference #3929).

Is this an acceptable solution for the frontend part? Business logic - querying amount of new found issues - is missing.

What steps will reproduce the problem?
1. Double click Mac application.

What is the expected output? What do you see instead?
Expected output is for the application to start.
Instead, the OWASP Zap icon just bounces on the dock.  Eventually, the application
doesn't respond and I have to force quit it.

What version of the product are you using? On what operating system?
OWASP Zap 2.1.0.
OSX 10.8.3
Java Version 1.7.0_21

Please provide any additional information below.
If I navigate to the package contents and run the zap.sh script, I can get to the application.
 I just can't get the application to run when double clicking the app package.

Original issue reported on code.google.com by Daniel.J.Aquino on 2013-04-19 15:25:14

Describe the bug

ZAP when running in daemon mode is getting stuck while running active scan for 15+hrs, but when running in non-daemon mode then ZAP is getting completed within an hour. The target and scan policy being same while initiating the scan in daemon and non-daemon mode.

Steps to reproduce the behavior

1. Start ZAP with daemon mode
2. Spider scan
3. Ajax Spider
4. Active scan

Expected behavior

ZAP should complete the scan regardless of the daemon setting.

Software versions

2.11.1

Screenshots

No response

Errors from the zap.log file

This was getting printed many times. 2022-04-20 07:26:54,495 [HSQLDB Timer @295eaa7c] INFO ENGINE - Checkpoint start 2022-04-20 07:26:54,495 [HSQLDB Timer @295eaa7c] INFO ENGINE - checkpointClose start 2022-04-20 07:26:54,504 [HSQLDB Timer @295eaa7c] INFO ENGINE - checkpointClose synched 2022-04-20 07:26:54,510 [HSQLDB Timer @295eaa7c] INFO ENGINE - checkpointClose script done 2022-04-20 07:26:54,510 [HSQLDB Timer @295eaa7c] INFO ENGINE - dataFileCache commit start 2022-04-20 07:26:54,568 [HSQLDB Timer @295eaa7c] INFO ENGINE - dataFileCache commit end 2022-04-20 07:26:54,592 [HSQLDB Timer @295eaa7c] INFO ENGINE - checkpointClose end 2022-04-20 07:26:54,593 [HSQLDB Timer @295eaa7c] INFO ENGINE - Checkpoint end - txts: 252483

Additional context

No response

Would you like to help fix this issue?

• [ ] Yes

ZAP shows false positive Backup File Disclosure alert on the following response: HTTP/1.1 400

Content-Length: 0

Date: Tue, 17 Jul 2018 07:52:53 GMT

Connection: close

Add-on repo https://github.com/secdec/attack-surface-detector-zap

Your contact details [email protected]

Are you one of the authors Yes

Licence in repo

Build instructions Install Maven: https://maven.apache.org/install.html Clone Attack Surface Detector repository: https://github.com/secdec/attack-surface-detector-zap Navigate to the source code Directory, open terminal and run the command mvn clean package The plugin will be located in the target folder named: attacksurfacedetector-release-#.zap.

also in readme

Link to more information https://github.com/secdec/attack-surface-detector-zap/wiki

Twitter handle for tool or author(s) https://twitter.com/secdec

Promote to Beta or Release? Note that all new add-ons start at Alpha status.

Anything else we should know During web application penetration testing, it is important to enumerate your application's attack surface. While Dynamic Application Security Testing (DAST) tools (such as Burp Suite and ZAP) are good at spidering to identify application attack surfaces, they will often fail to identify unlinked endpoints and optional parameters. These endpoints and parameters not found often go untested, which can leave your application open to an attacker. This tool is the Attack Surface Detector, a plugin for OWASP ZAP. This tool figures out the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won't find in client-side code, or optional parameters totally unused in client-side code. The plugin then imports this data into ZAP so you view the results, or work with the detected endpoints and parameters from the target site map

What steps will reproduce the problem?
1. Install DVWA (http://www.dvwa.co.uk/) on Backtrack 5
2. Manually crawl the app with ZAP then launch the spider
3. Launch ZAP's active scan 

What is the expected output? What do you see instead?
The active scanner freezes at 56% (screenshot attached)


What version of the product are you using? On what operating system?
1.3.2. BackTrack 5 R1

Original issue reported on code.google.com by brahim.sakka on 2011-09-04 23:35:02

See https://groups.google.com/d/msg/zaproxy-users/_KyG4zxzO9s/MLwworzdAQAJ for more details. Also see http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html for details of how to create an active scan rule.

Describe the bug

A build with gradle fails with the followin error message:

$ gradle :zap:distLinux
...
FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':buildSrc:validatePlugins'.
> Plugin validation failed with 1 problem:
    - Warning: Type 'org.zaproxy.zap.tasks.GradleBuildWithGitRepos' property 'repositoriesDirectory' has @Input annotation used on property of type 'DirectoryProperty'.
      
      Reason: A property of type 'DirectoryProperty' annotated with @Input cannot determine how to interpret the file.
      
      Possible solution: Annotate with @InputDirectory for directories.
      
      Please refer to https://docs.gradle.org/7.6/userguide/validation_problems.html#incorrect_use_of_input_annotation for more details about this problem.
  See https://docs.gradle.org/7.6/userguide/more_about_tasks.html#sec:task_input_output_annotations for more information on how to annotate task properties.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 39s
18 actionable tasks: 8 executed, 1 from cache, 9 up-to-date

Steps to reproduce the behavior

1. Build the project with gradle :zap:distLinux.
2. The build fails.

Expected behavior

The build is successful.

Software versions

My gradle version:

gradle --version

------------------------------------------------------------
Gradle 7.6
------------------------------------------------------------

Build time:   2022-11-25 13:35:10 UTC
Revision:     daece9dbc5b79370cc8e4fd6fe4b2cd400e150a8

Kotlin:       1.7.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.5 (Alpine 17.0.5+8-alpine-r2)
OS:           Linux 6.1.3-0-edge amd64

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

• [X] Yes

Describe the bug

After running a scan, I click report -> generate report. No Generate Report window appears. I am running Zap 2.12.0 on Mac OS Monterey.

Steps to reproduce the behavior

1. Run a Scan in Zap
2. select Report -> Generate report
3. Expect Generate Report window to appear but nothing happens

Expected behavior

The Generate Report Window should appear but it didn't.

Software versions

Zap 2.12.0

Screenshots

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

• [X] Yes

Describe the bug

The API scan script for zap2docker reports application/hal+json as an unexpected content type. This the default content type for the Spring framework's Spring Data REST project.

I was hoping that this can be treated similarly to https://github.com/zaproxy/zaproxy/issues/5121 , i.e. add this content type to the list of expected types in https://github.com/zaproxy/zaproxy/blob/main/docker/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js that occured in PR https://github.com/zaproxy/zaproxy/pull/5233

Steps to reproduce the behavior

Execute the zap-api-scan.py script using the owasp/zap2docker-stable against a Spring Data REST application.

Review the generated report, and you'll see hundreds of alerts for "Unexpected Content-Type was returned" generated by plugin 100001

Expected behavior

application/hal+json should be an acceptable content type

Software versions

ZAP 2.12.0 zap2docker-stable 2.12.0

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

• [X] Yes

• ExtensionHistory > Hook the new popup menu item. Fix NPE in showInHistory method when History tab doesn't have focus.
• PopupMenuJumpTo > New functionality.
• Messages.properties > Supporting name/value pairs.

Part of zaproxy#7362

Signed-off-by: kingthorin [email protected]

Is your feature request related to a problem? Please describe.

Add ability to set a list of additional elements to crawl in Automation Framework AjaxSpider job.

Similarly to what we can do in UI (see screenshot).

Describe the solution you'd like

A block in AjaxSpider AF config where I can set a list of additional elements to click.

Describe alternatives you've considered

A block in AjaxSpider AF config where I can set a list of additional elements to click.

Screenshots

Additional context

No response

Would you like to help fix this issue?

• [ ] Yes