Question: I am not getting any issues on command line
Closed this issue · 2 comments
When I'm running zap-cli everething seems fine. The tool tells me that it found 0 issues.
docker run -i owasp/zap2docker-stable zap-cli quick-scan -s all --self-contained --start-options '-config api.disablekey=true' https://www.leankoala.com
When running the GUI tool there are a lot of warnings, e.g. directory browsing or x-frame-options header not set.
Can you help me to find my misconfiguration?
Verbose:
[DEBUG] Starting ZAP process with command: /zap/zap.sh -daemon -port 8080 -config api.disablekey=true.
[DEBUG] Logging to /zap/zap.log
[DEBUG] ZAP started successfully.
[INFO] Running a quick scan for https://www.leankoala.com
[DEBUG] Disabling all current scanners
[DEBUG] Enabling all scanners
[DEBUG] Scanning target https://www.leankoala.com...
[DEBUG] Started scan with ID 0...
[DEBUG] Scan progress %: 0
[DEBUG] Scan progress %: 5
[DEBUG] Scan progress %: 70
[DEBUG] Scan #0 completed
[INFO] Issues found: 0
[INFO] Shutting down ZAP daemon
[DEBUG] Shutting down ZAP.
[DEBUG] ZAP shutdown successfully.
Hi @koalamon! By default zap-cli will only output "High" alerts that are found (i.e. XSS, CSRF, SQLi, etc.). If you also want to output lower level alerts like the X-Frame-Options header being missing, you can use the --alert-level or -l parameter with the quick-scan command (which can be either High, Medium, Low, Informational).
So, if you want to output all alerts, you could use "Informational" with your command:
docker run -i owasp/zap2docker-stable zap-cli quick-scan -l Informational -s all --self-contained --start-options '-config api.disablekey=true' https://www.leankoala.com
You can also change that to Low or Medium to output fewer alerts by only including those of a higher severity.
I hope that helps!
Great. It worked. Thank you!