Giter Site home page Giter Site logo

secdec / attack-surface-detector-zap Goto Github PK

View Code? Open in Web Editor NEW
59.0 11.0 14.0 16.04 MB

The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters

License: Mozilla Public License 2.0

Java 100.00%
dast security vulnerability pentesting

attack-surface-detector-zap's Introduction

asd-logo

Summary

During web application penetration testing, it is important to enumerate your application's attack surface. While Dynamic Application Security Testing (DAST) tools (such as Burp Suite and ZAP) are good at spidering to identify application attack surfaces, they will often fail to identify unlinked endpoints and optional parameters. These endpoints and parameters not found often go untested, which can leave your application open to an attacker. This tool is the Attack Surface Detector, a plugin for OWASP ZAP. This tool figures out the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won't find in client-side code, or optional parameters totally unused in client-side code. The plugin then imports this data into ZAP so you view the results, or work with the detected endpoints and parameters from the target site map.

How it Works

The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters (with supported languages and frameworks).

Supported Frameworks:

  • C# / ASP.NET MVC
  • C# / Web Forms
  • Java / Spring MVC
  • Java / Struts
  • Java JSP
  • Python / Django
  • Ruby / Rails

To see a brief demonstration for the Attack Surface Detector, you can check it out here: Note: this demonstration is based on the plugin built for Portswigger's Burp Suite. Implementation and operations are nearly identical for the ZAP plugin.

Installing the Plugin

  1. Detailed install instructions.

For Developers & Contributors

Build Instructions

  1. Install Maven. - https://maven.apache.org/install.html
  2. Clone Attack Surface Detector repository - https://github.com/secdec/attack-surface-detector-zap
  3. Navigate to the Source Code Directory
  4. Open a new terminal and run the command mvn clean package
  5. The plugin will be located in the target folder named attacksurfacedetector-release-#.zap

License

Licensed under the MPL License.

attack-surface-detector-zap's People

Contributors

kingthorin avatar matthewd-avi avatar thc202 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

kingthorin thc202 tiandiyixian mmg1 themallcop venutrue securestep9 wopr-security modulexcite crackercat johnjohnsp1 gigi4n jeffmartson

attack-surface-detector-zap's Issues

how to install into headless zap?

./zap.sh -cmd -addoninstall <what?>
Not planning to use gui version at all. There is no way to know the plugin name/ID on the internet.
Can you please give us (headless users) a hand?
Thanks

NPE when threadfix.properties not cleaned up

I pointed it at a *.war which I guess isn't an option it can handle. Even after removing and re-installing the addon I couldn't get it to action the menu item without a Null Pointer Exception.

36324 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.action.LocalEndpointsAction - About to show dialog.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning useHttps false
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetPath
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetPort 8090
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetHost localhost
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\bodgeit.war
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\bodgeit.war
36324 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.action.LocalEndpointsAction - configured
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36324 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\bodgeit.war
36324 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.action.LocalEndpointsAction - Got source information, about to generate endpoints.
36629 [AWT-EventQueue-0] INFO FrameworkCalculator - Attempting to guess Framework Type from source tree.
36629 [AWT-EventQueue-0] INFO FrameworkCalculator - File: C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\bodgeit.war
36629 [AWT-EventQueue-0] WARN FrameworkCalculator - Invalid directory passed to FrameworkCalculator.getType(File): C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\bodgeit.war
36629 [AWT-EventQueue-0] INFO FrameworkCalculator - Source tree framework type detection returned: None
36629 [AWT-EventQueue-0] INFO EndpointDatabaseFactory - Creating database with root file = C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\bodgeit.war and framework type = NONE and path cleaner = [PathCleaner dynamicRoot=null, staticRoot=null]
36629 [AWT-EventQueue-0] INFO EndpointDatabaseFactory - Returning database with generator (null): null
36629 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
36629 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
36629 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder null
36629 [AWT-EventQueue-0] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger - Exception in thread "AWT-EventQueue-0"
java.lang.NullPointerException
at com.securedecisions.attacksurfacedetector.plugin.zap.action.EndpointsAction$1.actionPerformed(EndpointsAction.java:70)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.AbstractButton.doClick(AbstractButton.java:376)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:842)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:886)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2238)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2296)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4897)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4534)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4475)
at java.awt.Container.dispatchEventImpl(Container.java:2282)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:733)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:730)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
162116 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.action.LocalEndpointsAction - About to show dialog.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Creating new file.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning useHttps null
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetPath null
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetPort null
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetHost null
162116 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.dialog.OptionsDialog - Attempting to show dialog.
162116 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning useHttps null
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning autospider null
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder null
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder null
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetHost null
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetPort null
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
162131 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning targetPath null

After manually removing threadfix.properties things started working again.

NullPointerException while importing WAR file

Hopefully it's ok to raise the issue here (it does not seem to be a problem in ASD code).

Steps to reproduce the issue:

  1. Run ZAP with ASD add-on installed;
  2. Import the BodgeIt WAR (https://github.com/psiinon/bodgeit/releases)
  3. Note that nothing happens, in the log there's an exception:
ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "AWT-EventQueue-1"
java.lang.NullPointerException
	at java.io.File.<init>(File.java:277)
	at com.denimgroup.threadfix.framework.impl.jsp.JSPEndpointGenerator.applyLineNumbers(JSPEndpointGenerator.java:299)
	at com.denimgroup.threadfix.framework.impl.jsp.JSPEndpointGenerator.<init>(JSPEndpointGenerator.java:175)
	at com.denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory.getDatabase(EndpointDatabaseFactory.java:176)
	at com.denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory.getDatabase(EndpointDatabaseFactory.java:150)
	at com.denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory.getDatabase(EndpointDatabaseFactory.java:143)
	at com.denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory.getDatabase(EndpointDatabaseFactory.java:110)
	at com.denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory.getDatabase(EndpointDatabaseFactory.java:89)
	at org.zaproxy.zap.extension.attacksurfacedetector.AttackSurfaceDetectorPanel.getEndpoints(AttackSurfaceDetectorPanel.java:372)
	at org.zaproxy.zap.extension.attacksurfacedetector.AttackSurfaceDetectorPanel.access$200(AttackSurfaceDetectorPanel.java:76)
	at org.zaproxy.zap.extension.attacksurfacedetector.AttackSurfaceDetectorPanel$1.actionPerformed(AttackSurfaceDetectorPanel.java:157)
[...]

Versions:
ASD v1.1.1
ZAP 2.7.0
Java 1.8.0_171

attack-surface-detector-zap automation with python3

Hi,

As part of my final year project, I'm working on a project where I need to automate security testing with ZAP and specially automate the identification of the entry points of a Web application using the plugin "Surface Attack Detector". I need help in automating the use of the plugin of zap via the command line interface so I can integrate it in my python3 scripts, and that without the need of using Docker knowing that I am already working with Kali machine.

Looking forward for your response.

Thank you in advance for your help and collaboration.

Jihane

Usage via ZAP REST API?

Hello,

I'm interested in using the ASD extension for ZAP. However, I usually use ZAP in headless mode and interact with ZAP via the exposed REST API. What I would like to be able to do with this extension is take an endpoint JSON file that was generated via the attack-surface-detector-cli and then send that JSON to ZAP via a REST endpoint. Is this possible currently? I've looked through the documentation wiki but I've only seen documentation on configuring the ASD plugin via the ZAP GUI.

I noticed issue #18 as well. I'm not sure if anything came out of that issue outside of the issue thread, but I'm also using Python 3 to interact with the ZAP API.

Thanks in advance for your help.

ZAP Spider Changes

Just dropped by to give you a heads up. We're planning significant changes to the Spider for the upcoming 2.12 release of ZAP. It's been moved out of core and into an add-on.
Refs:

You can see an overview of our tasks here: zaproxy/zaproxy#3113 which includes reference to PRs that cover all the Spider changes we've made to ZAP's add-ons. You can likely model your changes along with this.

The other option is to change the ASD build file to indicate it's not compatible with versions >= 2.12 (and publish a new release).

In the mean time if we recall correctly the ASD add-on does check if the core spider is available and handles situations where it isn't.

https://www.zaproxy.org/blog/2022-08-30-spider-move/

NPE importing php app (or JSP content)

Yes I realize now that PHP isn't on the list https://github.com/secdec/attack-surface-detector-zap#supported-frameworks, but it's probably a condition that should be handled.

I tried importing mutillidae and encountered an NPE.

471150 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471166 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471181 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.action.LocalEndpointsAction - configured
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
471181 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\htdocs\mutillidae
471181 [AWT-EventQueue-0] INFO com.securedecisions.attacksurfacedetector.plugin.zap.action.LocalEndpointsAction - Got source information, about to generate endpoints.
471181 [AWT-EventQueue-0] INFO FrameworkCalculator - Attempting to guess Framework Type from source tree.
471181 [AWT-EventQueue-0] INFO FrameworkCalculator - File: C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\htdocs\mutillidae
472851 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.dotNet.DotNetFrameworkChecker - Got 0 .cs files from the directory.
473258 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.dotNet.DotNetFrameworkChecker - Got 0 Controller files from the directory.
473648 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.dotNetWebForm.WebFormsFrameworkChecker - Got 0 .aspx files from the directory.
474054 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.rails.RailsFrameworkChecker - Got 0 *.rb files from the directory.
474054 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.rails.RailsFrameworkChecker - .../config/routes.rb was NOT found.
474476 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.django.DjangoFrameworkChecker - Got 0 .py files from the directory.
474476 [AWT-EventQueue-0] INFO FrameworkCalculator - Source tree framework type detection returned: None
474476 [AWT-EventQueue-0] INFO EndpointDatabaseFactory - Creating database with root file = C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\htdocs\mutillidae and framework type = NONE and path cleaner = [PathCleaner dynamicRoot=null, staticRoot=null]
474476 [AWT-EventQueue-0] INFO EndpointDatabaseFactory - Returning database with generator (null): null
474476 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
474491 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
474491 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder null
474491 [AWT-EventQueue-0] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger - Exception in thread "AWT-EventQueue-0"
java.lang.NullPointerException
at com.securedecisions.attacksurfacedetector.plugin.zap.action.EndpointsAction$1.actionPerformed(EndpointsAction.java:70)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.AbstractButton.doClick(AbstractButton.java:376)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:842)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:886)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2238)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2296)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4897)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4534)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4475)
at java.awt.Container.dispatchEventImpl(Container.java:2282)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:733)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:730)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

I then thought ok, delete the threadfix.properties file, restart ZAP and just import some *.jsp that should be simple. NPE again and it doesn't seem that JSP was checked at all:

27499 [AWT-EventQueue-0] INFO FrameworkCalculator - File: C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\wavsep\active
28919 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.dotNet.DotNetFrameworkChecker - Got 0 .cs files from the directory.
29233 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.dotNet.DotNetFrameworkChecker - Got 0 Controller files from the directory.
29592 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.dotNetWebForm.WebFormsFrameworkChecker - Got 0 .aspx files from the directory.
29951 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.rails.RailsFrameworkChecker - Got 0 *.rb files from the directory.
29951 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.rails.RailsFrameworkChecker - .../config/routes.rb was NOT found.
30279 [AWT-EventQueue-0] INFO com.denimgroup.threadfix.framework.impl.django.DjangoFrameworkChecker - Got 0 .py files from the directory.
30279 [AWT-EventQueue-0] INFO FrameworkCalculator - Source tree framework type detection returned: None
30295 [AWT-EventQueue-0] INFO EndpointDatabaseFactory - Creating database with root file = C:\Users\thorin\Downloads\xampp-portable-win32-5.6.23-0-VC11\xampp\tomcat\webapps\wavsep\active and framework type = NONE and path cleaner = [PathCleaner dynamicRoot=null, staticRoot=null]
30295 [AWT-EventQueue-0] INFO EndpointDatabaseFactory - Returning database with generator (null): null
30295 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Properties file is at C:\Users\thorin\OWASP ZAP_D\threadfix.properties
30295 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - Successfully loaded properties.
30295 [AWT-EventQueue-0] INFO org.zaproxy.zap.extension.attacksurfacedetector.ZapPropertiesManager - returning source code folder null
30295 [AWT-EventQueue-0] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger - Exception in thread "AWT-EventQueue-0"
java.lang.NullPointerException
at com.securedecisions.attacksurfacedetector.plugin.zap.action.EndpointsAction$1.actionPerformed(EndpointsAction.java:70)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.AbstractButton.doClick(AbstractButton.java:376)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:842)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:886)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2238)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2296)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4897)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4534)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4475)
at java.awt.Container.dispatchEventImpl(Container.java:2282)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:733)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:730)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Note around 29233 it mentions rb, cs, py, routes.rb, Controller, .aspx; but not JSP?

Version mismatch in add-on manifest

The filename says version 1.1.1 [1] but in the add-on manifest it is 1.1.0. [2]
The version in the manifest takes precedence.

I'd suggest setting that when building, similar to https://github.com/h3xstream/burp-retire-js/pull/22/files
(In this case it could set the version, status, and not-before-version.)

[1] https://github.com/secdec/attack-surface-detector-zap/releases/tag/1.1.1
[2] https://github.com/secdec/attack-surface-detector-zap/blob/1.1.1/zaproxy/src/org/zaproxy/zap/extension/attacksurfacedetector/ZapAddOn.xml#L3

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.