Reduce usage of error level logging in ascan rules

addOns/ascanrules/CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Address potential false positives with the XSLT Injection scan rule when payloads cause a failure which may still contain the expected evidence.
 - Depends on an updated version of the Common Library add-on.
+- Reduced usage of error level logging.
 
 ## [74] - 2025-09-18
 ### Added

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java

@@ -156,7 +156,7 @@ public void scan(HttpMessage msg, String param, String value) {
         } catch (URIException e) {
             LOGGER.debug("Failed to send HTTP message, cause: {}", e.getMessage());
         } catch (IOException e) {
-            LOGGER.error(e.getMessage(), e);
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java

@@ -21,6 +21,7 @@
 
 import static org.zaproxy.zap.extension.ascanrules.utils.Constants.NULL_BYTE_CHARACTER;
 
+import java.io.IOException;
 import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -258,8 +259,8 @@ private List<HtmlContext> performAttack(
             // Not an error, just means we probably attacked the redirect
             // location
             return null;
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
 
         if (isStop()) {
@@ -996,8 +997,8 @@ public void scan(HttpMessage msg, String param, String value) {
                 attackHeader(msg, param, appendedValue ? value : "");
             }
 
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java

@@ -272,7 +272,7 @@ && isPage200(verificationMsg)) {
         } catch (URIException e) {
             LOGGER.debug("Failed to send HTTP message, cause: {}", e.getMessage());
         } catch (IOException e) {
-            LOGGER.error(e.getMessage(), e);
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java

@@ -1042,9 +1042,9 @@ public void scan() {
                     if (os != null) os.close();
                 }
             }
-        } catch (Exception e) {
+        } catch (IOException e) {
             // needed to catch exceptions from the "finally" statement
-            LOGGER.error("Error scanning a node for HeartBleed: {}", e.getMessage(), e);
+            LOGGER.debug("Error scanning a node for HeartBleed: {}", e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java

@@ -409,13 +409,13 @@ private static List<String> getOptionalList(JSONObject jsonObj, String key) {
     private String readPayloadsFile(String path) {
         File f = new File(path);
         if (!f.exists()) {
-            LOGGER.error("No such file: {}", f.getAbsolutePath());
+            LOGGER.warn("No such file: {}", f.getAbsolutePath());
             return "";
         }
         try {
             return new String(Files.readAllBytes(f.toPath()), StandardCharsets.UTF_8);
         } catch (IOException e) {
-            LOGGER.error(
+            LOGGER.warn(
                     "Error on opening/reading {} payload file. Error: {}",
                     getName(),
                     e.getMessage(),

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java

@@ -156,7 +156,7 @@ public void scan(HttpMessage msg, String param, String value) {
             scanWithPayloads(param, ATTACK_PATTERNS_CVE44228, PREFIX_CVE44228);
             scanWithPayloads(param, ATTACK_PATTERNS_CVE45046, PREFIX_CVE45046);
         } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+            LOGGER.warn(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -95,8 +96,8 @@ public void scan(HttpMessage msg, String param, String value) {
             this.setParameter(msg1, param, SourceSinkUtils.getUniqueValue(msg1, param));
             LOGGER.debug("Prime msg={} param={}", msg1.getRequestHeader().getURI(), param);
             sendAndReceive(msg1, false);
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -146,8 +147,8 @@ private List<HtmlContext> performAttack(
         setParameter(sourceMsg2, param, attack);
         try {
             sendAndReceive(sourceMsg2);
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
 
         if (isStop()) {
@@ -157,8 +158,8 @@ private List<HtmlContext> performAttack(
         HttpMessage sinkMsg2 = sinkMsg.cloneRequest();
         try {
             sendAndReceive(sinkMsg2);
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
 
         if (isStop()) {
@@ -690,8 +691,8 @@ public void scan(HttpMessage sourceMsg, String param, String value) {
                     }
                 }
             }
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -102,8 +103,8 @@ public void scan() {
             sendAndReceive(msg1, false);
             SourceSinkUtils.testForSink(msg1);
 
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -178,8 +179,8 @@ private boolean scan(URI originalURI, URI attackURI, String payload) {
                 buildAlert(payload, responseBody).setMessage(attackmsg).raise();
                 return true;
             }
-        } catch (Exception e) {
-            LOGGER.error(
+        } catch (IOException e) {
+            LOGGER.debug(
                     "Error scanning a URL for Remote Code Execution via CVE-2012-1823: {}",
                     e.getMessage(),
                     e);

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -184,8 +185,8 @@ public void scan() {
                     buildAlert(sourceCode).setMessage(attackmsg).raise();
                 }
             }
-        } catch (Exception e) {
-            LOGGER.error(
+        } catch (IOException e) {
+            LOGGER.debug(
                     "Error scanning a Host for Source Code Disclosure via CVE-2012-1823: {}",
                     e.getMessage(),
                     e);

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java

@@ -24,6 +24,7 @@
 import com.strobel.decompiler.PlainTextOutput;
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.OutputStream;
 import java.util.Arrays;
 import java.util.Collections;
@@ -267,8 +268,8 @@ public void scan() {
                 javaClassesFound.remove(classname);
                 javaClassesHandled.add(classname);
             }
-        } catch (Exception e) {
-            LOGGER.error(
+        } catch (IOException e) {
+            LOGGER.debug(
                     "Error scanning a Host for Source Code Disclosure via the WEB-INF folder: {}",
                     e.getMessage(),
                     e);

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java

@@ -382,13 +382,11 @@ private void sendPayloadsToMakeCallBack(String paramName, String[] commandExecPa
                             ex.getMessage(),
                             msg.getRequestHeader().getURI());
                 } catch (IOException ex) {
-                    LOGGER.warn(
+                    LOGGER.debug(
                             "SSTI vulnerability check failed for parameter [{}] and payload [{}] due to an I/O error",
                             paramName,
                             payload,
                             ex);
-                } catch (Exception ex) {
-                    LOGGER.error("Failed SSTI rule with payload [{}]", payload, ex);
                 }
             }
         }

addOns/ascanrulesAlpha/CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - The Web Cache Deception scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
 - Depends on an updated version of the Common Library add-on.
+- Reduced usage of error level logging.
 
 ## [52] - 2025-10-07
 ### Added

addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrulesAlpha;
 
+import java.io.IOException;
 import java.net.UnknownHostException;
 import java.text.MessageFormat;
 import java.util.Collections;
@@ -547,10 +548,10 @@ public void scan(HttpMessage originalmsg, String paramname, String paramvalue) {
 
         } catch (UnknownHostException | URIException e) {
             LOGGER.debug("Failed to send HTTP message, cause: {}", e.getMessage());
-        } catch (Exception e) {
+        } catch (IOException e) {
             // Do not try to internationalise this.. we need an error message in any event..
             // if it's in English, it's still better than not having it at all.
-            LOGGER.error("An error occurred checking a url for LDAP Injection issues", e);
+            LOGGER.debug("An error occurred checking a url for LDAP Injection issues", e);
         }
     }
 
@@ -590,11 +591,9 @@ protected boolean responseMatches(HttpMessage msg, Pattern pattern) {
      * @param placeboMessage the message used to send the placebo attack
      * @param parameterName the name of the parameter which was attacked
      * @return
-     * @throws Exception
      */
     private boolean checkResultsForLDAPAlert(
-            HttpMessage attackMessage, HttpMessage placeboMessage, String parameterName)
-            throws Exception {
+            HttpMessage attackMessage, HttpMessage placeboMessage, String parameterName) {
         // compare the request response with each of the known error messages,
         // for each of the known LDAP implementations.
         // in order to minimise false positives, only consider a match

addOns/ascanrulesBeta/CHANGELOG.md

@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Changed
 - Depends on an updated version of the Common Library add-on.
+- Reduced usage of error level logging.
 
 ## [62] - 2025-09-18
 ### Added

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrulesBeta;
 
+import java.io.IOException;
 import java.net.MalformedURLException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -392,8 +393,8 @@ public void scan() {
                 LOGGER.debug(
                         "The URI has no filename component, so there is not much point in looking for a corresponding backup file!");
             }
-        } catch (Exception e) {
-            LOGGER.error(
+        } catch (IOException e) {
+            LOGGER.debug(
                     "Error scanning a request for Backup File Disclosure: {}", e.getMessage(), e);
         }
     }
@@ -441,7 +442,7 @@ private static boolean isEmptyResponse(byte[] response) {
         return response.length == 0;
     }
 
-    private void findBackupFile(HttpMessage originalMessage) throws Exception {
+    private void findBackupFile(HttpMessage originalMessage) throws IOException {
 
         try {
             boolean gives404s = true;
@@ -796,8 +797,8 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
                 }
             }
 
-        } catch (Exception e) {
-            LOGGER.error(
+        } catch (IOException e) {
+            LOGGER.debug(
                     "Some error occurred when looking for a backup file for '{}'",
                     originalMessage.getRequestHeader().getURI(),
                     e);

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRule.java

@@ -154,12 +154,16 @@ public void scan() {
 
             scanSilverlightCrossdomainPolicyFile(originalURI);
 
-        } catch (Exception e) {
-            // needed to catch exceptions from the "finally" statement
-            LOGGER.error(
+        } catch (IOException e) {
+            LOGGER.debug(
                     "Error scanning a node for Cross Domain misconfigurations: {}",
                     e.getMessage(),
                     e);
+        } catch (XPathExpressionException xei) {
+            LOGGER.error(
+                    "Error scanning a node for Cross Domain misconfigurations: {}",
+                    xei.getMessage(),
+                    xei);
         }
     }
 

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ExpressionLanguageInjectionScanRule.java

@@ -190,7 +190,7 @@ public void scan(HttpMessage msg, String paramName, String value) {
         } catch (IOException ex) {
             // Do not try to internationalise this.. we need an error message in any event..
             // if it's in English, it's still better than not having it at all.
-            LOGGER.error(
+            LOGGER.debug(
                     "Expression Language Injection vulnerability check failed for parameter [{}] and payload [{}] due to an I/O error",
                     paramName,
                     payload,

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitMetadata.java

@@ -21,6 +21,7 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
 import java.util.Map;
@@ -320,7 +321,7 @@ public byte[] getObjectData(
             try {
                 packinfofiledata = getURIResponseBody(uri, false, basemsg);
             } catch (FileNotFoundException e) {
-                LOGGER.error(
+                LOGGER.warn(
                         "We could not read '{}' to get the name of the pack file containing the content: {}",
                         uri,
                         e.getMessage());
@@ -1005,8 +1006,8 @@ private byte[] getPackedObjectData(
                                 + inflatedObjectData.length);
 
             return inflatedObjectData;
-        } catch (Exception e) {
-            LOGGER.error("Some error occurred extracting a packed object", e);
+        } catch (IOException e) {
+            LOGGER.debug("Some error occurred extracting a packed object", e);
             throw e;
         }
     }

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpOnlySiteScanRule.java

@@ -226,7 +226,7 @@ public void scan() {
             }
             return;
         } catch (IOException e) {
-            LOGGER.error("Request couldn't go through:", e);
+            LOGGER.debug("Request couldn't go through:", e);
             return;
         }
     }