Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

XML and JSON reports contain incorrect results

See original GitHub issue

Describe the bug Since moving from 2.10.0 to 2.11.0 the reporting function seems to be broken for traditional JSON and XML reports. Other reports seem to be fine. The issue occurs when multiple active and/or passive scripts are enabled. In the report, the results for the first alert seem to be correct but all the subsequent alerts seem to copy the results of that particular first alert.

To summarize, all alerts will report the exact same instances. The count field confirms this, even though in the original scan the count would be very different from what the report says.

An example of a JSON report can be found under Additional context.

To Reproduce Steps to reproduce the behavior:

  1. Go to Scripts
  2. Enable multiple passive scripts. In this case Find emails.js and Find HTML Comments.js
  3. Select a target to scan that allows these scripts to raise alerts. In this case include http://vulnweb.com.* and http://testphp.vulnweb.com.* in your context.
  4. Start the Spider
  5. Click on Report -> Generate Report ...
  6. In the dialog under Sites, select http://testphp.vulnweb.com and http://vulnweb.com.
  7. In the dialog under Context select your context
  8. In the dialog under the Template tab, select the Traditional JSON Report template.
  9. Click Generate Report

Expected behavior A report that reports the correct results for each alert that was raised.

Software versions

  • ZAP: 2.11.0
  • Add-on: Report Generation 0.8.0
  • OS: Ubuntu 20.04.3 LTS
  • Java: openjdk version “11.0.11”
  • Browser: -

Errors from the zap.log file None.

Additional context To demonstrate the bug I have added [Email] demo evidence as Evidence to the Email passive script, and [Html comment] demo evidence to the HTML comments passive script. The latter, however, is nowhere to be found in the report as a result of the bug.

In the example below, **...<snip>...** indicates that content was left out for brevity. An example of a JSON report:

"site":[ 
{
"@name": "http://testphp.vulnweb.com",
"@host": "testphp.vulnweb.com",
"@port": "80",
"@ssl": "false",
"alerts": [ 
{
	"pluginid": "50001",
	"alertRef": "50001",
	"alert": "Email addresses (script)",
	"name": "Email addresses (script)",
	"riskcode": "0",
	"confidence": "3",
	"riskdesc": "Informational (High)",
	"desc": "<p>Email addresses were found</p>",
	"instances":[ 
		{
			"uri": "http://testphp.vulnweb.com/",
			"method": "GET",
			"param": "",
			"attack": "",
			"evidence": "[Email] demo evidence"
		},
		{
			"uri": "http://testphp.vulnweb.com/artists.php",
			"method": "GET",
			"param": "",
			"attack": "",
			"evidence": "[Email] demo evidence"
		},
              **...<snip>...**
	],
	"count": "29",
	"solution": "<p>Remove emails that are not public</p>",
	"otherinfo": "<p>wvs@acunetix.com</p>",
	"reference": "",
	"cweid": "0",
	"wascid": "0",
	"sourceid": "47",
        {
	    "pluginid": "50001",
	    "alertRef": "50001",
	    "alert": "Information Exposure Through HTML Comments (script)",
	    "name": "Information Exposure Through HTML Comments (script)",
	    "riskcode": "0",
	    "confidence": "2",
	    "riskdesc": "Informational (Medium)",
	    "desc": "<p>While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.</p>",
	    "instances":[ 
		    {
			    "uri": "http://testphp.vulnweb.com/",
			    "method": "GET",
			    "param": "",
			    "attack": "",
			    "evidence": "[Email] demo evidence"
		    },
		    {
			    "uri": "http://testphp.vulnweb.com/artists.php",
			    "method": "GET",
			    "param": "",
			    "attack": "",
			    "evidence": "[Email] demo evidence"
		    },
              ],
	        "count": "29",
	        "solution": "<p>Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.</p>",
	        "otherinfo": "<p><!-- InstanceEndEditable -->,<!-- here goes headers headers -->,<!-- InstanceEndEditable -->,<!-- end masthead -->,<!-- begin content -->,<!-- InstanceEndEditable -->,<!--end content -->,<!--end navbar -->,<!-- InstanceEnd --></p>",
	        "reference": "",
	        "cweid": "615",
	        "wascid": "13",
	        "sourceid": "47"

Would you like to help fix this issue? Sure.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

2reactions
EndPositivecommented, Oct 14, 2021

Seems to be working as expected 💪. Thanks a ton for the super swift fix!

2reactions
psiinoncommented, Oct 14, 2021

@EndPositive the add-on has now been released - let us know if its now working as you expect. Thanks.

Read more comments on GitHub >

github_iconTop Results From Across the Web

XML to JSON policy runtime error troubleshooting | Apigee Edge
Diagnosis · Identify the invalid source type used in the XML to JSON policy. You can find this information from the error message....
Read more >
Publish test results - Failed to read Error : Data at the root level ...
I convert the json output to Junit xml format and then publish the results. I am getting the below error, is my xml...
Read more >
cucumber.json report getting overwritten by rerun scenario ...
The good news is you're not doing anything wrong! The bad news is that the results you're observing are entirely as expected.
Read more >
Export results to a file gives Invalid Json file - Splunk Community
Solved: When I export my results to a JSON file and then try to validate it ... is downloading from UI they want...
Read more >
Solved: XML to JSON for Reports - Power Platform Community
My issue is when using the XML fetch for the report i would like to run and tie that initialize Variable it fails...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Introduce a new ZAP report variant/type which supports SARIF

Next page

Documentation lacking for DDC/DDN