2025-12-08 02:58:48,764 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,764 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,765 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,766 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,766 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,764 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,766 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,766 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,766 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,766 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,766 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,766 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,766 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,766 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,766 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,766 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,766 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,766 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Anti CSRF Token Detection 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_form 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_password 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_password 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6410 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_hidden 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6411 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_upload 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_object 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_script 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_mailto 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_setcookie 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_comment1 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_comment2 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin response_json 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Script Passive Scan Rules 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Stats Passive Scan Rule 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin Anti CSRF Token Detection 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_form 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_password 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_type_password 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6413 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_type_hidden 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,767 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_type_upload 2025-12-08 02:58:48,768 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6412 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,767 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_object 2025-12-08 02:58:48,768 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_script 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_mailto 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_setcookie 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_comment1 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_comment2 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin response_json 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin Script Passive Scan Rules 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin Stats Passive Scan Rule 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6414 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6415 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,768 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,768 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,768 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,768 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin Anti CSRF Token Detection 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_form 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_password 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_type_password 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_type_hidden 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_type_upload 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_object 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_tag_script 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_mailto 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_setcookie 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_comment1 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin html_comment2 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin response_json 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin Script Passive Scan Rules 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3/api-docs plugin Stats Passive Scan Rule 2025-12-08 02:58:48,768 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,768 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,769 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,769 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,769 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,769 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin Anti CSRF Token Detection 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_form 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_type_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_type_hidden 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_type_upload 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_object 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_script 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_mailto 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_setcookie 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_comment1 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_comment2 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin response_json 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin Script Passive Scan Rules 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin Stats Passive Scan Rule 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,770 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin Anti CSRF Token Detection 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_form 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_type_password 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_type_hidden 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_type_upload 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_object 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_script 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_mailto 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_setcookie 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_comment1 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_comment2 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin response_json 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin Script Passive Scan Rules 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin Stats Passive Scan Rule 2025-12-08 02:58:48,770 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,770 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,770 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6416 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,771 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,771 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,771 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,771 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6418 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6420 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin Anti CSRF Token Detection 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_form 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_password 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_type_password 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_type_hidden 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_type_upload 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_object 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_script 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_mailto 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6417 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6419 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_setcookie 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,772 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,772 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_comment1 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,772 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,772 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_comment2 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin response_json 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin Script Passive Scan Rules 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin Stats Passive Scan Rule 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6421 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6422 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin Anti CSRF Token Detection 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_form 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_type_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_type_hidden 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_type_upload 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_object 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_script 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_mailto 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_setcookie 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_comment1 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_comment2 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin response_json 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin Script Passive Scan Rules 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin Stats Passive Scan Rule 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,773 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,773 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,774 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,774 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,774 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,774 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,774 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Anti CSRF Token Detection 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_form 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_password 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_password 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_hidden 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_upload 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_object 2025-12-08 02:58:48,773 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,773 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6423 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,774 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_script 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_mailto 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_setcookie 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_comment1 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_comment2 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin response_json 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Script Passive Scan Rules 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Stats Passive Scan Rule 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,774 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,774 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,774 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6424 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin Anti CSRF Token Detection 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_form 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_password 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_type_password 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_type_hidden 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_type_upload 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_object 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_tag_script 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_mailto 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_setcookie 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_comment1 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin html_comment2 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin response_json 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin Script Passive Scan Rules 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080 plugin Stats Passive Scan Rule 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6426 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6425 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,775 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6428 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,776 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6429 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin Anti CSRF Token Detection 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_form 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_password 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_type_password 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_type_hidden 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_type_upload 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_object 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_tag_script 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_mailto 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_setcookie 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_comment1 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin html_comment2 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin response_json 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin Script Passive Scan Rules 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api plugin Stats Passive Scan Rule 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,777 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6430 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,775 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,775 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,778 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,778 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,778 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,775 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,778 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,778 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,778 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,778 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,778 [ZAP-PassiveScan-4] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin Anti CSRF Token Detection 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_form 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6427 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_type_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_type_hidden 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_type_upload 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6431 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_object 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_tag_script 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_mailto 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_setcookie 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_comment1 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin html_comment2 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin response_json 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin Script Passive Scan Rules 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6432 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6433 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth plugin Stats Passive Scan Rule 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,779 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,779 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,780 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,780 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,780 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,780 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,779 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,780 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - Attempting to create an alert for temporary message 11, type will be changed to permanent: 15 java.lang.Exception: null at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:199) ~[zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTaskHelper.raiseAlert(PassiveScanTaskHelper.java:146) ~[?:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanController.lambda$new$0(PassiveScanController.java:93) ~[?:?] at jdk.proxy2/jdk.proxy2.$Proxy35.raiseAlert(Unknown Source) [?:?] at org.zaproxy.zap.extension.pscan.PluginPassiveScanner$AlertBuilder.raise(PluginPassiveScanner.java:667) [zap-2.16.1.jar:2.16.1] at org.zaproxy.addon.authhelper.AuthenticationDetectionScanRule.scanHttpResponseReceive(AuthenticationDetectionScanRule.java:146) [authhelper-beta-0.33.0.zap:?] at org.zaproxy.addon.pscan.internal.scanner.PassiveScanTask.run(PassiveScanTask.java:152) [pscan-alpha-0.5.0.zap:?] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin Anti CSRF Token Detection 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_form 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_password 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_type_password 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_type_hidden 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_type_upload 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_object 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_tag_script 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_mailto 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_setcookie 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_comment1 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin html_comment2 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin response_json 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Anti CSRF Token Detection 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin Script Passive Scan Rules 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_form 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/products plugin Stats Passive Scan Rule 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_password 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_password 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_hidden 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_type_upload 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_object 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_tag_script 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_mailto 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_setcookie 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_comment1 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin html_comment2 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin response_json 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Script Passive Scan Rules 2025-12-08 02:58:48,780 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:48,780 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/v3 plugin Stats Passive Scan Rule 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,781 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:48,781 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,781 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6434 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6436 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNiwiZXhwIjoxNzY1MjQ5MTI2fQ._JzX1G4wwaddALT1o_KAkWRZONxbRXnODfNSitITP-k} 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,783 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,783 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6435 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,784 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6437 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,784 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,784 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6438 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,784 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:48,784 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6439 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:48,784 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG BigRedirectsScanRule - Scan of record 9070 took 0ms 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG ContentSecurityPolicyScanRule - Start 9070 : http://localhost:8080/api/auth/login 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9070 took 0ms 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG StrictTransportSecurityScanRule - Scan of record 9070 took 0ms 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:48,785 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG UsernameIdorScanRule - Scan of record 9070 took 1 ms 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9070 took 0ms 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9070 took 0ms 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG XDebugTokenScanRule - Scan of record 9070 took 0 ms 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:48,786 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9071 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9072 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9073 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9074 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9075 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9076 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9077 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9078 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9079 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9080 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9081 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9082 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9083 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9084 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9085 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9086 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9087 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9088 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScanController] DEBUG PassiveScanController - Submitting request to executor: http://localhost:8080/api/auth/login id 9089 type 15 2025-12-08 02:58:50,697 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,697 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,697 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,697 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,697 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,697 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,698 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,698 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,699 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,699 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,699 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,699 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,701 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,701 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,701 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,703 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,703 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,703 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,704 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,704 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,704 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6442 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6440 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6441 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNiwiZXhwIjoxNzY1MjQ5MTI2fQ._JzX1G4wwaddALT1o_KAkWRZONxbRXnODfNSitITP-k} 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNiwiZXhwIjoxNzY1MjQ5MTI2fQ._JzX1G4wwaddALT1o_KAkWRZONxbRXnODfNSitITP-k} 2025-12-08 02:58:50,705 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,705 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,705 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6443 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNiwiZXhwIjoxNzY1MjQ5MTI2fQ._JzX1G4wwaddALT1o_KAkWRZONxbRXnODfNSitITP-k} 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6446 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6444 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6445 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,706 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,706 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6447 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,706 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG BigRedirectsScanRule - Scan of record 9071 took 0ms 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG BigRedirectsScanRule - Scan of record 9074 took 0ms 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,707 [ZAP-PassiveScan-4] DEBUG ContentSecurityPolicyScanRule - Start 9071 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,707 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,707 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG BigRedirectsScanRule - Scan of record 9073 took 0ms 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG BigRedirectsScanRule - Scan of record 9072 took 0ms 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,707 [ZAP-PassiveScan-3] DEBUG ContentSecurityPolicyScanRule - Start 9074 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG ContentSecurityPolicyScanRule - Start 9073 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG ContentSecurityPolicyScanRule - Start 9072 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,708 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,708 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,708 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,708 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9074 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG StrictTransportSecurityScanRule - Scan of record 9074 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9071 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG StrictTransportSecurityScanRule - Scan of record 9071 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9072 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG StrictTransportSecurityScanRule - Scan of record 9072 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9073 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG StrictTransportSecurityScanRule - Scan of record 9073 took 0ms 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,709 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,709 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,709 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,709 [ZAP-PassiveScan-3] DEBUG UsernameIdorScanRule - Scan of record 9074 took 0 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG UsernameIdorScanRule - Scan of record 9071 took 1 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9074 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG UsernameIdorScanRule - Scan of record 9072 took 1 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG UsernameIdorScanRule - Scan of record 9073 took 1 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9073 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9072 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9074 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9072 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9073 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9071 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9071 took 0ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG XDebugTokenScanRule - Scan of record 9072 took 0 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG XDebugTokenScanRule - Scan of record 9071 took 0 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG XDebugTokenScanRule - Scan of record 9073 took 0 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG XDebugTokenScanRule - Scan of record 9074 took 0 ms 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,710 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,710 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,710 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,710 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,711 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,713 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,713 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,713 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,713 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,713 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,713 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,714 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,714 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,714 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,715 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,715 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,716 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6448 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6450 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6449 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6451 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6452 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,717 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,717 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,717 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6453 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6454 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,718 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,718 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,718 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,718 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6455 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,718 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,718 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG BigRedirectsScanRule - Scan of record 9076 took 0ms 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG BigRedirectsScanRule - Scan of record 9075 took 0ms 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG ContentSecurityPolicyScanRule - Start 9075 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG BigRedirectsScanRule - Scan of record 9077 took 0ms 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG BigRedirectsScanRule - Scan of record 9078 took 0ms 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG ContentSecurityPolicyScanRule - Start 9076 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG ContentSecurityPolicyScanRule - Start 9078 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG ContentSecurityPolicyScanRule - Start 9077 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,719 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,719 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,719 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,719 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,720 [ZAP-PassiveScan-4] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,720 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,720 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,720 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9078 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9075 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9076 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG StrictTransportSecurityScanRule - Scan of record 9076 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG StrictTransportSecurityScanRule - Scan of record 9078 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG StrictTransportSecurityScanRule - Scan of record 9075 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9077 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG StrictTransportSecurityScanRule - Scan of record 9077 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG UsernameIdorScanRule - Scan of record 9078 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG UsernameIdorScanRule - Scan of record 9076 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9076 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9076 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9078 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG UsernameIdorScanRule - Scan of record 9075 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9075 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG UsernameIdorScanRule - Scan of record 9077 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG XDebugTokenScanRule - Scan of record 9076 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9075 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9077 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9078 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG XDebugTokenScanRule - Scan of record 9075 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9077 took 0ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,721 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG XDebugTokenScanRule - Scan of record 9078 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG XDebugTokenScanRule - Scan of record 9077 took 0 ms 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,721 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,721 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,721 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,722 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,722 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,722 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,722 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,722 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,723 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,724 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,724 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,725 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,725 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,725 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,726 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,726 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,726 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,727 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,727 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,727 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,728 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,728 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,728 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,728 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,728 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6456 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6457 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6459 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6458 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6461 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6460 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,729 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6462 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,729 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6463 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,729 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,729 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,730 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,730 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,730 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,730 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,730 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG BigRedirectsScanRule - Scan of record 9079 took 0ms 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG BigRedirectsScanRule - Scan of record 9080 took 0ms 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG ContentSecurityPolicyScanRule - Start 9080 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG ContentSecurityPolicyScanRule - Start 9079 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG BigRedirectsScanRule - Scan of record 9082 took 0ms 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG BigRedirectsScanRule - Scan of record 9081 took 0ms 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG ContentSecurityPolicyScanRule - Start 9081 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG ContentSecurityPolicyScanRule - Start 9082 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,731 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,731 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,731 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9079 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG StrictTransportSecurityScanRule - Scan of record 9079 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9080 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9082 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG StrictTransportSecurityScanRule - Scan of record 9082 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9081 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG StrictTransportSecurityScanRule - Scan of record 9080 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG StrictTransportSecurityScanRule - Scan of record 9081 took 0ms 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,732 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,732 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,732 [ZAP-PassiveScan-4] DEBUG UsernameIdorScanRule - Scan of record 9079 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,732 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9079 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9079 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG XDebugTokenScanRule - Scan of record 9079 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG UsernameIdorScanRule - Scan of record 9080 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG UsernameIdorScanRule - Scan of record 9082 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG UsernameIdorScanRule - Scan of record 9081 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9082 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9082 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG XDebugTokenScanRule - Scan of record 9082 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9080 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9080 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,733 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG XDebugTokenScanRule - Scan of record 9080 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9081 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9081 took 0ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG XDebugTokenScanRule - Scan of record 9081 took 0 ms 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,733 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,733 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,733 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,737 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,737 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,739 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,739 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,740 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,740 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,740 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,742 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,742 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,742 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,743 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,743 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,743 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,744 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,744 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,744 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,744 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,744 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6464 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6467 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6466 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6465 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6468 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Alert: 6470 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNywiZXhwIjoxNzY1MjQ5MTI3fQ.UMRQUV-JA8LCQUvpJDxD7DTO57nelLRBuiZY1nyWWJ4} 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6469 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,745 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,745 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,745 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,746 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,746 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,746 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,745 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6471 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,746 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG BigRedirectsScanRule - Scan of record 9086 took 0ms 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG BigRedirectsScanRule - Scan of record 9083 took 0ms 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG BigRedirectsScanRule - Scan of record 9084 took 0ms 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG ContentSecurityPolicyScanRule - Start 9083 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG ContentSecurityPolicyScanRule - Start 9084 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG BigRedirectsScanRule - Scan of record 9085 took 0ms 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG ContentSecurityPolicyScanRule - Start 9085 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG ContentSecurityPolicyScanRule - Start 9086 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,747 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,747 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,747 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,748 [ZAP-PassiveScan-1] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,748 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9084 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG StrictTransportSecurityScanRule - Scan of record 9084 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,748 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,748 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9086 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG StrictTransportSecurityScanRule - Scan of record 9086 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9083 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9085 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG StrictTransportSecurityScanRule - Scan of record 9085 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG StrictTransportSecurityScanRule - Scan of record 9083 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG UsernameIdorScanRule - Scan of record 9086 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG UsernameIdorScanRule - Scan of record 9084 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG UsernameIdorScanRule - Scan of record 9083 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9086 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG UsernameIdorScanRule - Scan of record 9085 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9086 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9085 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9085 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG XDebugTokenScanRule - Scan of record 9085 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9084 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9084 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG XDebugTokenScanRule - Scan of record 9086 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG XDebugTokenScanRule - Scan of record 9084 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,749 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9083 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9083 took 0ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG XDebugTokenScanRule - Scan of record 9083 took 0 ms 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,749 [ZAP-PassiveScan-4] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,749 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,749 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,750 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti CSRF Token Detection 2025-12-08 02:58:50,750 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Parameter Scanner 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,750 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,751 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_form 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_password 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_password 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_hidden 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_type_upload 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_object 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_tag_script 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_mailto 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_setcookie 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment1 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin html_comment2 2025-12-08 02:58:50,751 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin response_json 2025-12-08 02:58:50,752 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,753 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,753 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,754 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,754 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,754 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent href.tag.added from org.parosproxy.paros.model.HistoryReferenceEventPublisher 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Authentication Request Identified 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Authentication Request Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6472 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6474 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6473 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session Management Response Identified 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG AuthUtils - Found session tokens in http://localhost:8080/api/auth/login : {json:token=Source: json key: token value: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyOCwiZXhwIjoxNzY1MjQ5MTI4fQ.-EVn8ugFvjJ60skxNtH8md4d6ERWXja3mBCxFqWMXwo} 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Found 1 response session token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-2] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,755 [ZAP-PassiveScan-3] DEBUG ExtensionAlert - alertFound Session Management Response Identified http://localhost:8080/api/auth/login 2025-12-08 02:58:50,755 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Alert: 6475 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - addPath http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild Sites / http://localhost:8080 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild Sites / http://localhost:8080 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Alert: 6476 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild http://localhost:8080 / api 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild http://localhost:8080 / api 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddChild api / auth 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild api / auth 2025-12-08 02:58:50,756 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findAndAddLeaf auth / login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SiteMap - findChild auth / POST:login()({"username":"testuser","password":"Test1...) 2025-12-08 02:58:50,756 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SimpleEventBus - publishSyncEvent alert.added from org.zaproxy.zap.extension.alert.AlertEventPublisher 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Alert: 6477 URL: http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG ExtensionAlertFilters - Is in context 1 got 0 filters 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG SessionDetectionScanRule - Identified 0 request token(s) in http://localhost:8080/api/auth/login 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Verification Request Identified 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Vulnerable JS Library (Powered by Retire.js) 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin WSDL File Detection 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Passive Scan Rules 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Anti-clickjacking Header 2025-12-08 02:58:50,756 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Application Error Disclosure 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG BigRedirectsScanRule - Scan of record 9088 took 0ms 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Big Redirect Detected (Potential Sensitive Information Leak) 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG ContentSecurityPolicyScanRule - Start 9088 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG BigRedirectsScanRule - Scan of record 9089 took 0ms 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG ContentSecurityPolicyScanRule - Start 9089 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG BigRedirectsScanRule - Scan of record 9087 took 0ms 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Re-examine Cache-control Directives 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Charset Mismatch 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content Security Policy (CSP) Header Not Set 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin CSP 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG ContentSecurityPolicyScanRule - Start 9087 : http://localhost:8080/api/auth/login 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Content-Type Header Missing 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie No HttpOnly Flag 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Loosely Scoped Cookie 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie without SameSite Attribute 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Without Secure Flag 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain Misconfiguration 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG CrossDomainMisconfigurationScanRule - Checking message http://localhost:8080/api/auth/login for Cross-Domain misconfigurations 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cross-Domain JavaScript Source File Inclusion 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Absence of Anti-CSRF Tokens 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Directory Browsing 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Hash Disclosure 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking request of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,757 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,757 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,757 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Checking response of message org.parosproxy.paros.network.HttpMessage@eac33ca2 for Hashes 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$LM\$[a-f0-9]{16} for hash type LanMan / DES 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$K4\$[a-f0-9]{16}, for hash type Kerberos AFS DES 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2y\$05\$[a-z0-9\+\-_./=]{53} for hash type OpenBSD Blowfish 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$1\$[./0-9A-Za-z]{0,8}\$[./0-9A-Za-z]{22} for hash type MD5 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$5\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{43} for hash type SHA-256 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$6\$rounds=[0-9]+\$[./0-9A-Za-z]{0,16}\$[./0-9A-Za-z]{86} for hash type SHA-512 Crypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$2a\$[0-9]{2}\$[./0-9A-Za-z]{53} for hash type BCrypt 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$3\$\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG HashDisclosureScanRule - Trying Hash Pattern: \$NT\$[0-9a-f]{32} for hash type NTLM 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Heartbleed OpenSSL Vulnerability (Indicative) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Private IP Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Session ID in URL Rewrite 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Debug Error Messages 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in URL 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Sensitive Information in HTTP Referrer Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Information Disclosure - Suspicious Comments 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Weak Authentication Method 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP to HTTPS Insecure Transition in Form Post 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTPS to HTTP Insecure Transition in Form Post 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Insecure JSF ViewState 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Reverse Tabnabbing 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Secure Pages Include Mixed Content 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Modern Web Application 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin PII Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Script Served From Malicious Domain (polyfill) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9087 took 0ms 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG StrictTransportSecurityScanRule - Scan of record 9087 took 0ms 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Retrieved from Cache 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG RetrievedFromCacheScanRule - Checking URL http://localhost:8080/api/auth/login to see if was served from a shared cache 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin HTTP Server Response Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9089 took 0ms 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG ServerHeaderInfoLeakScanRule - Scan of record 9088 took 0ms 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG StrictTransportSecurityScanRule - Scan of record 9088 took 0ms 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Strict-Transport-Security Header 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG StrictTransportSecurityScanRule - Scan of record 9089 took 0ms 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Timestamp Disclosure 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Checking message http://localhost:8080/api/auth/login for timestamps 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG TimestampDisclosureScanRule - Trying Timestamp Pattern: \b(?:1\d|2[0-2])\d{8}\b(?!%) for timestamp type Unix 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable Charset 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Cookie Poisoning 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,758 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,758 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,758 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable HTML Element Attribute (Potential XSS) 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin User Controllable JavaScript Event (XSS) 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Off-site Redirect 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Username Hash Found 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG UsernameIdorScanRule - Scan of record 9089 took 1 ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG UsernameIdorScanRule - Scan of record 9087 took 0 ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG UsernameIdorScanRule - Scan of record 9088 took 0 ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9087 took 0ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Viewstate 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9087 took 0ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG XDebugTokenScanRule - Scan of record 9087 took 0 ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-AspNet-Version Response Header 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9089 took 0ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9089 took 0ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG XDebugTokenScanRule - Scan of record 9089 took 0 ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,759 [ZAP-PassiveScan-2] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,759 [ZAP-PassiveScan-1] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Backend-Server Header Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG XBackendServerInformationLeakScanRule - Scan of record 9088 took 0ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-ChromeLogger-Data (XCOLD) Header Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG XChromeLoggerDataInfoLeakScanRule - Scan of record 9088 took 0ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Content-Type-Options Header Missing 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin X-Debug-Token Information Leak 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG XDebugTokenScanRule - Scan of record 9088 took 0 ms 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin ZAP is Out of Date 2025-12-08 02:58:50,759 [ZAP-PassiveScan-3] DEBUG PassiveScanTask - Running scan rule, URL http://localhost:8080/api/auth/login plugin Stats Passive Scan Rule 2025-12-08 02:58:50,902 [main ] DEBUG SimpleEventBus - publishSyncEvent job.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:50,902 [main ] INFO CommandLine - Job passiveScan-wait finished, time taken: 00:00:02 2025-12-08 02:58:50,902 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:50,902 [main ] INFO CommandLine - Job report started 2025-12-08 02:58:50,902 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:50,902 [main ] DEBUG SimpleEventBus - publishSyncEvent job.started from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:50,917 [main ] DEBUG ExtensionReports - Copying resources from /root/.ZAP/reports/high-level-report/resources to /home/zap/zap-reports/zap-report-high-level 2025-12-08 02:58:51,194 [main ] DEBUG ExtensionReports - Generated report /home/zap/zap-reports/zap-report-high-level.html 2025-12-08 02:58:51,195 [main ] INFO CommandLine - Job report-high-level generated report /home/zap/zap-reports/zap-report-high-level.html 2025-12-08 02:58:51,195 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,195 [main ] DEBUG SimpleEventBus - publishSyncEvent job.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,195 [main ] INFO CommandLine - Job report finished, time taken: 00:00:00 2025-12-08 02:58:51,195 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,195 [main ] INFO CommandLine - Job report started 2025-12-08 02:58:51,195 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,195 [main ] DEBUG SimpleEventBus - publishSyncEvent job.started from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,198 [main ] DEBUG ExtensionReports - Copying resources from /root/.ZAP/reports/modern/resources to /home/zap/zap-reports/zap-report-modern 2025-12-08 02:58:51,419 [main ] DEBUG ExtensionReports - Generated report /home/zap/zap-reports/zap-report-modern.html 2025-12-08 02:58:51,420 [main ] INFO CommandLine - Job report-modern generated report /home/zap/zap-reports/zap-report-modern.html 2025-12-08 02:58:51,420 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,420 [main ] DEBUG SimpleEventBus - publishSyncEvent job.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,420 [main ] INFO CommandLine - Job report finished, time taken: 00:00:00 2025-12-08 02:58:51,420 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,420 [main ] INFO CommandLine - Job report started 2025-12-08 02:58:51,420 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,420 [main ] DEBUG SimpleEventBus - publishSyncEvent job.started from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,424 [main ] DEBUG ExtensionReports - Copying resources from /root/.ZAP/reports/risk-confidence-html/resources to /home/zap/zap-reports/zap-report-risk-confidence 2025-12-08 02:58:51,548 [main ] DEBUG ExtensionReports - Generated report /home/zap/zap-reports/zap-report-risk-confidence.html 2025-12-08 02:58:51,549 [main ] INFO CommandLine - Job report-risk-confidence generated report /home/zap/zap-reports/zap-report-risk-confidence.html 2025-12-08 02:58:51,549 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,549 [main ] DEBUG SimpleEventBus - publishSyncEvent job.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,549 [main ] INFO CommandLine - Job report finished, time taken: 00:00:00 2025-12-08 02:58:51,549 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,549 [main ] INFO CommandLine - Job report started 2025-12-08 02:58:51,549 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,549 [main ] DEBUG SimpleEventBus - publishSyncEvent job.started from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,580 [main ] DEBUG ExtensionReports - Generated report /home/zap/zap-reports/zap-report-traditional.html 2025-12-08 02:58:51,580 [main ] INFO CommandLine - Job report-traditional generated report /home/zap/zap-reports/zap-report-traditional.html 2025-12-08 02:58:51,580 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,580 [main ] DEBUG SimpleEventBus - publishSyncEvent job.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,580 [main ] INFO CommandLine - Job report finished, time taken: 00:00:00 2025-12-08 02:58:51,580 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,580 [main ] INFO CommandLine - Job report started 2025-12-08 02:58:51,580 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,580 [main ] DEBUG SimpleEventBus - publishSyncEvent job.started from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,583 [main ] DEBUG ExtensionReports - Copying resources from /root/.ZAP/reports/traditional-html-plus/resources to /home/zap/zap-reports/zap-report-traditional-plus 2025-12-08 02:58:51,672 [main ] DEBUG ExtensionReports - Generated report /home/zap/zap-reports/zap-report-traditional-plus.html 2025-12-08 02:58:51,672 [main ] INFO CommandLine - Job report-traditional-plus generated report /home/zap/zap-reports/zap-report-traditional-plus.html 2025-12-08 02:58:51,672 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,672 [main ] DEBUG SimpleEventBus - publishSyncEvent job.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,672 [main ] INFO CommandLine - Job report finished, time taken: 00:00:00 2025-12-08 02:58:51,672 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.info from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,672 [main ] DEBUG SimpleEventBus - publishSyncEvent plan.finished from org.zaproxy.addon.automation.AutomationEventPublisher 2025-12-08 02:58:51,672 [main ] INFO CommandLine - Automation plan succeeded! 2025-12-08 02:58:52,673 [main ] DEBUG SimpleEventBus - unregisterPublisher org.zaproxy.zap.extension.websocket.WebSocketEventPublisher 2025-12-08 02:58:52,680 [main ] DEBUG ExtensionCallHome - Sending request to ZAP service https://tel.zaproxy.org/ZAPtel 2025-12-08 02:58:52,681 [main ] DEBUG BaseHttpSender - Sending POST https://tel.zaproxy.org/ZAPtel 2025-12-08 02:58:52,681 [main ] DEBUG BaseHttpSender - Sending message to: https://tel.zaproxy.org/ZAPtel 2025-12-08 02:58:53,038 [main ] DEBUG BaseHttpSender - SUCCESSFUL 2025-12-08 02:58:53,038 [main ] DEBUG BaseHttpSender - Received response after 356ms for POST https://tel.zaproxy.org/ZAPtel 2025-12-08 02:58:53,475 [ZAP-DownloadManager] DEBUG DownloadManager - Shutdown 2025-12-08 02:58:57,049 [main ] DEBUG PassiveScanController - Shutdown 2025-12-08 02:58:57,050 [main ] DEBUG ParosDatabase - close 2025-12-08 02:58:57,466 [main ] INFO CommandLineBootstrap - ZAP 2.16.1 terminated. 2025-12-08 02:58:58,698 [ZAP-PassiveScanController] DEBUG PassiveScanController - Stopping passive scan monitoring