Cannnot locate configuration file source - when running via zap.bat or zap.sh
1,794 views
Skip to first unread message
Chris Goldsmith
Nov 21, 2017, 10:41:47 AM11/21/17
to OWASP ZAP User Group
I need to get our ZAP scans working via command line so that they can be scheduled and have read thru the docs at
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsSessionContexts
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsSessionContext-auth
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi
https://github.com/zaproxy/zaproxy/wiki/ApiDetailsSimpleScan
https://www.youtube.com/watch?v=3vVnMh6AUkk
https://medium.com/@PrakhashS/automating-the-boring-stuffs-using-zap-and-jenkins-continues-integration-d4461a6ace1a
http://www.swtestacademy.com/automated-security-testing-using-zap/
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsSessionContext-auth
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi
https://github.com/zaproxy/zaproxy/wiki/ApiDetailsSimpleScan
https://www.youtube.com/watch?v=3vVnMh6AUkk
https://medium.com/@PrakhashS/automating-the-boring-stuffs-using-zap-and-jenkins-continues-integration-d4461a6ace1a
http://www.swtestacademy.com/automated-security-testing-using-zap/
we are not allowed to use other utils or tools like Jenkins because of other business controls so i need to be able to do this using only zap itself
I created a session file that has the context I created in it and tried running this on the windows box that has zap installed
C:\Program Files\OWASP\Zed Attack Proxy> .\zap.bat -daemon -s C:\Users\c.goldsmith\Documents\boundary_app_session.ses
on -daemon -session /opt/zaproxy/boundary/boundary_app_session.session -quickurl https://10.108.6.71:8080/ -quickout C
Users\c.goldsmith\boundary.xml -quickprogress
and the equivalent on a linux box with zap installed
./zap.sh -daemon -session /opt/zaproxy/boundary/boundary_app_session.session -quickurl https://10.108.6.71:8080/ -quickout /home/ec2-user/boundary.xml -quickprogress
On both I get error of privilege permission
from the windows
-----------------------
8112 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - Cannot locate configuration source boundary_app_session.sessi
on
org.apache.commons.configuration.ConfigurationException: Cannot locate configuration source boundary_app_session.session
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:259)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:238)
at org.apache.commons.configuration.AbstractHierarchicalFileConfiguration.load(AbstractHierarchicalFileConfigura
tion.java:184)
at org.zaproxy.zap.utils.ZapXmlConfiguration.<init>(Unknown Source)
at org.parosproxy.paros.model.Session.open(Unknown Source)
at org.parosproxy.paros.model.Model.openSession(Unknown Source)
at org.parosproxy.paros.control.Control.runCommandLineOpenSession(Unknown Source)
at org.zaproxy.zap.HeadlessBootstrap.handleCmdLineSessionArgsSynchronously(Unknown Source)
at org.zaproxy.zap.DaemonBootstrap$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Failed to open session: C:\opt\zaproxy\boundary\boundary_app_session.session
org.apache.commons.configuration.ConfigurationException: Cannot locate configuration source boundary_app_session.session
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:259)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:238)
at org.apache.commons.configuration.AbstractHierarchicalFileConfiguration.load(AbstractHierarchicalFileConfigura
tion.java:184)
at org.zaproxy.zap.utils.ZapXmlConfiguration.<init>(Unknown Source)
at org.parosproxy.paros.model.Session.open(Unknown Source)
at org.parosproxy.paros.model.Model.openSession(Unknown Source)
at org.parosproxy.paros.control.Control.runCommandLineOpenSession(Unknown Source)
at org.zaproxy.zap.HeadlessBootstrap.handleCmdLineSessionArgsSynchronously(Unknown Source)
at org.zaproxy.zap.DaemonBootstrap$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
From the linux
--------------------------------------------------------
17609 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: PUBLIC.HISTORY in statement [ALTER TABLE HISTORY ADD COLUMN TAG VARCHAR(32768) DEFAULT '']
org.parosproxy.paros.db.DatabaseException: java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: PUBLIC.HISTORY in statement [ALTER TABLE HISTORY ADD COLUMN TAG VARCHAR(32768) DEFAULT '']
at org.parosproxy.paros.db.paros.ParosTableHistory.updateTable(Unknown Source)
at org.parosproxy.paros.db.paros.ParosTableHistory.reconnect(Unknown Source)
at org.parosproxy.paros.db.paros.ParosAbstractTable.databaseOpen(Unknown Source)
at org.parosproxy.paros.db.AbstractDatabase.notifyListenersDatabaseOpen(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabase.open(Unknown Source)
at org.parosproxy.paros.model.Session.open(Unknown Source)
at org.parosproxy.paros.model.Model.openSession(Unknown Source)
at org.parosproxy.paros.control.Control.runCommandLineOpenSession(Unknown Source)
at org.zaproxy.zap.HeadlessBootstrap.handleCmdLineSessionArgsSynchronously(Unknown Source)
at org.zaproxy.zap.DaemonBootstrap$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: PUBLIC.HISTORY in statement [ALTER TABLE HISTORY ADD COLUMN TAG VARCHAR(32768) DEFAULT '']
at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCPreparedStatement.<init>(Unknown Source)
at org.hsqldb.jdbc.JDBCConnection.prepareStatement(Unknown Source)
... 11 more
Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: PUBLIC.HISTORY
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.SchemaManager.getUserTable(Unknown Source)
at org.hsqldb.ParserDDL.compileAlterTable(Unknown Source)
at org.hsqldb.ParserDDL.compileAlter(Unknown Source)
at org.hsqldb.ParserCommand.compilePart(Unknown Source)
at org.hsqldb.ParserCommand.compileStatement(Unknown Source)
at org.hsqldb.Session.compileStatement(Unknown Source)
at org.hsqldb.StatementManager.compile(Unknown Source)
at org.hsqldb.Session.execute(Unknown Source)
... 13 more
Failed to open session: /opt/zaproxy/boundary/boundary_app_session.session
org.parosproxy.paros.db.DatabaseException: java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: PUBLIC.HISTORY in statement [ALTER TABLE HISTORY ADD COLUMN TAG VARCHAR(32768) DEFAULT '']
at org.parosproxy.paros.db.paros.ParosTableHistory.updateTable(Unknown Source)
at org.parosproxy.paros.db.paros.ParosTableHistory.reconnect(Unknown Source)
at org.parosproxy.paros.db.paros.ParosAbstractTable.databaseOpen(Unknown Source)
at org.parosproxy.paros.db.AbstractDatabase.notifyListenersDatabaseOpen(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabase.open(Unknown Source)
at org.parosproxy.paros.model.Session.open(Unknown Source)
at org.parosproxy.paros.model.Model.openSession(Unknown Source)
at org.parosproxy.paros.control.Control.runCommandLineOpenSession(Unknown Source)
at org.zaproxy.zap.HeadlessBootstrap.handleCmdLineSessionArgsSynchronously(Unknown Source)
at org.zaproxy.zap.DaemonBootstrap$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: PUBLIC.HISTORY in statement [ALTER TABLE HISTORY ADD COLUMN TAG VARCHAR(32768) DEFAULT '']
at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCPreparedStatement.<init>(Unknown Source)
at org.hsqldb.jdbc.JDBCConnection.prepareStatement(Unknown Source)
... 11 more
Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: PUBLIC.HISTORY
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.SchemaManager.getUserTable(Unknown Source)
at org.hsqldb.ParserDDL.compileAlterTable(Unknown Source)
at org.hsqldb.ParserDDL.compileAlter(Unknown Source)
at org.hsqldb.ParserCommand.compilePart(Unknown Source)
at org.hsqldb.ParserCommand.compileStatement(Unknown Source)
at org.hsqldb.Session.compileStatement(Unknown Source)
at org.hsqldb.StatementManager.compile(Unknown Source)
at org.hsqldb.Session.execute(Unknown Source)
... 13 more
please help - i have attached my session file
thc...@gmail.com
Nov 21, 2017, 11:07:07 AM11/21/17
to zaprox...@googlegroups.com
Hi.
There are some missing files, a ZAP session is composed of 4 files:
<name>.session
<session-name>.properties
<session-name>.script
<session-name>.data
which need to be in the same folder.
The error in Linux is caused by the missing session files. In Windows
the path provided was not found.
The error messages need to be improved and we should document what files
are needed for a session...
Note that the "-quickurl" command line functionality does not use the
contexts defined in the session.
Best regards.
There are some missing files, a ZAP session is composed of 4 files:
<name>.session
<session-name>.properties
<session-name>.script
<session-name>.data
which need to be in the same folder.
The error in Linux is caused by the missing session files. In Windows
the path provided was not found.
The error messages need to be improved and we should document what files
are needed for a session...
Note that the "-quickurl" command line functionality does not use the
contexts defined in the session.
Best regards.
Chris Goldsmith
Nov 21, 2017, 11:16:27 AM11/21/17
to OWASP ZAP User Group
thanks ! I was missing the .data file and the first scan is now running from the linux server - if the context is not recognized then how do i modify my command line or config files because the scan needs to login to part of the tomcat app to do a full scan - i had that user and uth set in the context
kingthorin+owaspzap
Nov 21, 2017, 11:32:53 AM11/21/17
to OWASP ZAP User Group
Contexts don't apply for "quick" scanning.
cdhgold
Nov 21, 2017, 11:40:03 AM11/21/17
to zaprox...@googlegroups.com
I removed the -quickurl https://10.108.6.71:8080/ from my command line and now just have
/opt/zaproxy)$ $ ./zap.sh -cmd -daemon -session /opt/zaproxy/boundary/boundary_app_session.session -quickout /home/ec2-user/boundary.xml -quickprogress
it doesn't look like it is doing anything - need it to spider and then run active scan - what am i missing?
here is the output I get - thanks in advance for the help
--------------------------------------
0(root@afs-c3-util /opt/zaproxy)$ ./zap.sh -cmd -daemon -session /opt/zaproxy/boundary/boundary_app_session.session -quickout /home/ec2-user/boundary.xml -quickprogress
Found Java version 1.8.0_141
Available memory: 3533 MB
Setting jvm heap size: -Xmx883m
0 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP 2.6.0 started 21/11/17 10:35:10
28 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
28 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
54 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
15078 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
15378 [main] INFO hsqldb.db..ENGINE - open start - state not modified
15491 [main] INFO hsqldb.db..ENGINE - dataFileCache open start
15497 [main] INFO hsqldb.db..ENGINE - dataFileCache open end
15538 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
16249 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, fileVersion=4], [id=ascanrules, fileVersion=26], [id=bruteforce, fileVersion=6], [id=coreLang, fileVersion=11], [id=diff, fileVersion=7], [id=directorylistv1, fileVersion=3], [id=fuzz, fileVersion=8, version=2.0.1], [id=gettingStarted, fileVersion=6], [id=help, fileVersion=7], [id=invoke, fileVersion=6], [id=jxbrowser, fileVersion=2], [id=jxbrowserlinux32, fileVersion=1], [id=jxbrowserlinux64, fileVersion=1], [id=onlineMenu, fileVersion=5], [id=pscanrules, fileVersion=19], [id=quickstart, fileVersion=19], [id=replacer, fileVersion=2], [id=reveal, fileVersion=2], [id=saverawmessage, fileVersion=3], [id=scripts, fileVersion=18], [id=selenium, fileVersion=10, version=1.1.0], [id=spiderAjax, fileVersion=17], [id=tips, fileVersion=6], [id=webdriverlinux, fileVersion=2], [id=websocket, fileVersion=12], [id=zest, fileVersion=23]]
16522 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
16721 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Change user agent to other browsers.
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Detect insecure or potentially malicious content in HTTP responses.
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Detect and alert 'Set-cookie' attempt in HTTP response for modification.
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Avoid browser cache (strip off IfModifiedSince)
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log cookies sent by browser.
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log unique GET queries into file:filter/get.xls
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log unique POST queries into file: filter/post.xls
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log request and response into file: filter/message.txt
16722 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP request body using defined pattern.
16723 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP request header using defined pattern.
16723 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP response body using defined pattern.
16723 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP response header using defined pattern.
16723 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Send ZAP session request ID
16863 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
16874 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionViewOption
16874 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionEdit
16874 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionFilter
16874 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
16912 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionState
16913 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReport
16913 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHistory
16914 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
16915 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
16916 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash...
16916 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
16917 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
16965 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
16965 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
16965 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
16965 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
16967 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
16967 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Web Browser XSS Protection Not Enabled
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Password Autocomplete in Browser
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
16968 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Scanner
16978 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
16979 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
16984 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
16989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
16989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
16989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionManualRequest
16989 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
16990 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
16990 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
16991 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAuthentication
17005 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication]
17006 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
17021 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
17021 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionUserManagement
17023 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
17024 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
17033 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
17033 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionForcedUser
17033 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
17035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools
17265 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
17265 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionRequestPostTableView
17265 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSessionManagement
17267 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management]
17268 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelRequestFormTableView
17268 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
17276 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
17276 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAuthorization
17276 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
17277 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
17277 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
17278 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
17278 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
17278 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
17279 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
17279 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelComponentonentAll
17279 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelHexView
17279 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelImageView
17279 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelLargeRequestView
17279 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelLargeResponseView
17280 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelRequestQueryCookieTableView
17280 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelSyntaxHighlightTextView
17281 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
17284 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
17285 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
17286 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
17287 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
17287 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files
17288 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
17289 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
17289 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
17289 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowser
17290 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowserLinux32
17290 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtSelJxBrowserLinux32
17290 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionJxBrowserLinux64
17290 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtSelJxBrowserLinux64
17299 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
17299 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
17300 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start panel
17300 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
17302 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
17302 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
17306 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
17306 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
17372 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:37102
17463 [ZAP-daemon] INFO hsqldb.db..ENGINE - dataFileCache commit start
17465 [ZAP-daemon] INFO hsqldb.db..ENGINE - dataFileCache commit end
17474 [ZAP-daemon] INFO hsqldb.db..ENGINE - Database closed
17622 [ZAP-daemon] INFO hsqldb.db..ENGINE - open start - state modified
17636 [ZAP-daemon] INFO hsqldb.db..ENGINE - dataFileCache open start
17650 [ZAP-daemon] INFO hsqldb.db..ENGINE - dataFileCache open end
17679 [ZAP-daemon] INFO hsqldb.db..ENGINE - checkpointClose start
17679 [ZAP-daemon] INFO hsqldb.db..ENGINE - checkpointClose synched
17685 [ZAP-daemon] INFO hsqldb.db..ENGINE - checkpointClose script done
17685 [ZAP-daemon] INFO hsqldb.db..ENGINE - dataFileCache commit start
17707 [ZAP-daemon] INFO hsqldb.db..ENGINE - dataFileCache commit end
17713 [ZAP-daemon] INFO hsqldb.db..ENGINE - checkpointClose end
19872 [ZAP-daemon] INFO org.parosproxy.paros.control.Control - Session file opened
21313 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on localhost:8080
------------------------------------------------------------------------------------------------------------------------------------------------------------
On Tue, Nov 21, 2017 at 10:32 AM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
Contexts don't apply for "quick" scanning.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e724f2bd-5deb-4e44-b246-4cbac6dc3f5f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
thc...@gmail.com
Nov 21, 2017, 11:44:54 AM11/21/17
to zaprox...@googlegroups.com
You would have to use the ZAP API [1] to start the scans (spider/active)
and generate the report.
[1] https://github.com/zaproxy/zaproxy/wiki/ApiDetails
Best regards.
>> zaproxy-user...@googlegroups.com.
>> .
and generate the report.
[1] https://github.com/zaproxy/zaproxy/wiki/ApiDetails
Best regards.
>> To view this discussion on the web visit https://groups.google.com/d/
>> msgid/zaproxy-users/e724f2bd-5deb-4e44-b246-4cbac6dc3f5f%
>> 40googlegroups.com
>> <https://groups.google.com/d/msgid/zaproxy-users/e724f2bd-5deb-4e44-b246-4cbac6dc3f5f%40googlegroups.com?utm_medium=email&utm_source=footer>
>> msgid/zaproxy-users/e724f2bd-5deb-4e44-b246-4cbac6dc3f5f%
>> 40googlegroups.com
>> .
Simon Bennetts
Nov 21, 2017, 11:47:06 AM11/21/17
to OWASP ZAP User Group
You supplying both "-cmd -daemon" - dont supply "-daemon", its probably getting ZAP confused.
The -daemon flag is used to run ZAP in headless mode, which it you dont want in this case.
Cheers,
Simon
The -daemon flag is used to run ZAP in headless mode, which it you dont want in this case.
Cheers,
Simon
cdhgold
Nov 21, 2017, 11:57:46 AM11/21/17
to zaprox...@googlegroups.com
My goal is to be able to run this in a cron job - I'll update & run with just - cmd
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/be6d39dc-d961-4f87-9dc4-f5aad2efa1d8%40googlegroups.com.
cdhgold
Nov 21, 2017, 12:03:37 PM11/21/17
to zaprox...@googlegroups.com
ran without -daemon and nothing happened
(root@afs-c3-util /opt/zaproxy)$ ./zap.sh -cmd -session /opt/zaproxy/boundary/boundary_app_session.session -quickout /home/ec2-user/boundary.xml -quickprogress
Found Java version 1.8.0_141
Available memory: 3533 MB
Setting jvm heap size: -Xmx883m
0(root@afs-c3-util /opt/zaproxy)$ cat /home/ec2-user/boundary.xml
cat: /home/ec2-user/boundary.xml: No such file or directory
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/be6d39dc-d961-4f87-9dc4-f5aad2efa1d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Simon Bennetts
Nov 21, 2017, 12:22:08 PM11/21/17
to OWASP ZAP User Group
You're missing the key option: -quickurl
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartCmdline
Cheers,
Simon
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartCmdline
Cheers,
Simon
cdhgold
Nov 21, 2017, 12:32:52 PM11/21/17
to zaprox...@googlegroups.com
earlier in this thread I was told that quickurl doesn't recognize context and I thought I need to use context for the scan to login.
let me try to state better what i'm trying to do because I don't think I was clear enough at first
end goal is to be able run zaproxy scan via a linux cron job that does a spider and active scan against web apps that require a login to be able to scan the full app
I thought to do the authentication in the scan ( which I may not have setup right ) that I needed to set the user, password and auth url in the context. to that end i setup the context and saved it in a session on a windows box with the gui and copied that session to the linux box where I'm trying to run the scan
I have attached my context file
During this thread in installed the python api client
(root@afs-c3-util /opt/zaproxy)$ pip install /home/ec2-user/boundary_zap/python_owasp_zap_v2.4-0.0.12-py2.py3-none-any.whl
Processing /home/ec2-user/boundary_zap/python_owasp_zap_v2.4-0.0.12-py2.py3-none-any.whl
Requirement already satisfied: six in /usr/lib/python2.7/site-packages (from python-owasp-zap-v2.4==0.0.12)
Collecting requests (from python-owasp-zap-v2.4==0.0.12)
Downloading requests-2.18.4-py2.py3-none-any.whl (88kB)
100% |████████████████████████████████| 92kB 3.1MB/s
Collecting certifi>=2017.4.17 (from requests->python-owasp-zap-v2.4==0.0.12)
Downloading certifi-2017.11.5-py2.py3-none-any.whl (330kB)
100% |████████████████████████████████| 337kB 2.3MB/s
Collecting chardet<3.1.0,>=3.0.2 (from requests->python-owasp-zap-v2.4==0.0.12)
Downloading chardet-3.0.4-py2.py3-none-any.whl (133kB)
100% |████████████████████████████████| 143kB 3.9MB/s
Collecting idna<2.7,>=2.5 (from requests->python-owasp-zap-v2.4==0.0.12)
Downloading idna-2.6-py2.py3-none-any.whl (56kB)
100% |████████████████████████████████| 61kB 4.4MB/s
Collecting urllib3<1.23,>=1.21.1 (from requests->python-owasp-zap-v2.4==0.0.12)
Downloading urllib3-1.22-py2.py3-none-any.whl (132kB)
100% |████████████████████████████████| 133kB 3.8MB/s
Installing collected packages: certifi, chardet, idna, urllib3, requests, python-owasp-zap-v2.4
Found existing installation: chardet 2.2.1
Uninstalling chardet-2.2.1:
Successfully uninstalled chardet-2.2.1
Successfully installed certifi-2017.11.5 chardet-3.0.4 idna-2.6 python-owasp-zap-v2.4-0.0.12 requests-2.18.4 urllib3-1.22
but am unsure on how to use it -
I grabbed the sample file from the site and put in my url but it doesn't run
-------------------------------------------------------------------------------------------------------------------------
(root@afs-c3-util /opt/zaproxy)$ cat boundary.py
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
target = 'https://10.108.6.71:8080'
apikey = 'None' # Change to match the API key set in ZAP, or use None if the API key is disabled
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apikey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
# do stuff
print 'Accessing target %s' % target
# try have a unique enough session...
zap.urlopen(target)
# Give the sites tree a chance to get updated
time.sleep(2)
print 'Spidering target %s' % target
scanid = zap.spider.scan(target)
# Give the Spider a chance to start
time.sleep(2)
while (int(zap.spider.status(scanid)) < 100):
print 'Spider progress %: ' + zap.spider.status(scanid)
time.sleep(2)
print 'Spider completed'
# Give the passive scanner a chance to finish
time.sleep(5)
print 'Scanning target %s' % target
scanid = zap.ascan.scan(target)
while (int(zap.ascan.status(scanid)) < 100):
print 'Scan progress %: ' + zap.ascan.status(scanid)
time.sleep(5)
print 'Scan completed'
# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint (zap.core.alerts())
---------------------------------------------------------------------------------------------------------------------------------
(root@afs-c3-util /opt/zaproxy)$ ./boundary.py
Accessing target https://10.108.6.71:8080
Traceback (most recent call last):
File "./boundary.py", line 18, in <module>
zap.urlopen(target)
File "/usr/lib/python2.7/site-packages/zapv2/__init__.py", line 124, in urlopen
return requests.get(url, proxies=self.__proxies, verify=False, *args, **kwargs).text
File "/usr/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 618, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 502, in send
raise ProxyError(e, request=request)
requests.exceptions.ProxyError: HTTPSConnectionPool(host='10.108.6.71', port=8080): Max retries exceeded with url: / (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x2acdf50>: Failed to establish a new connection: [Errno 111] Connection refused',)))
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c07a4df0-d4ca-4225-b82f-b47e546922a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Chris Goldsmith
Nov 21, 2017, 3:47:26 PM11/21/17
to OWASP ZAP User Group
update on where I'm at - I ran the following command
./zap.sh -daemon -session /opt/zaproxy/boundary/boundary_app_session.session -quickurl https://10.108.6.71:8080/ -quickout /home/ec2-user/boundary.xml -quickprogress
I got the attached output which looks like both a spider scan and and a active scan but without any authentication
am i reading the output log correctly?
kingthorin+owaspzap
Nov 21, 2017, 6:29:18 PM11/21/17
to OWASP ZAP User Group
That seems right for use of the "quick" options
cdhgold
Nov 21, 2017, 7:54:46 PM11/21/17
to zaprox...@googlegroups.com
If I drop the quickurl option - nothing happens - how do I make sure it is full scan?
On Nov 21, 2017 5:29 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:
That seems right for use of the "quick" options
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/3086101a-4b7b-423c-9ce7-d9859298ac6e%40googlegroups.com.
kingthorin+owaspzap
Nov 21, 2017, 8:42:32 PM11/21/17
to OWASP ZAP User Group
If you want to take advantage of context you have to interact with the api to launch the spider, poll for it to finish. Launch an active scan, poll for it to finish. Ensure passive scanning completes. Then report.
cdhgold
Nov 21, 2017, 9:33:49 PM11/21/17
to zaprox...@googlegroups.com
I know I have to use a api tool like the python client but it craps out on me
Can you give me some examples?
On Nov 21, 2017 7:42 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:
If you want to take advantage of context you have to interact with the api to launch the spider, poll for it to finish. Launch an active scan, poll for it to finish. Ensure passive scanning completes. Then report.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4906d91a-34c0-4714-a1c8-edc535d53741%40googlegroups.com.
thc...@gmail.com
Nov 22, 2017, 3:54:50 AM11/22/17
to zaprox...@googlegroups.com
The Python script you posted earlier looks correct. It's probably
failing because of wrong API key. [1]
There's an example in:
https://github.com/soprasteria/zap-api-python/blob/4b7e5ddbcac9401549a6bb3c857df46b13f8814a/src/examples/zap_example_api_script.py
[1] https://github.com/zaproxy/zaproxy/wiki/FAQapikey
Best regards.
On 22/11/17 02:33, cdhgold wrote:
> I know I have to use a api tool like the python client but it craps out on
> me
>
> Can you give me some examples?
>
> On Nov 21, 2017 7:42 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:
>
>> If you want to take advantage of context you have to interact with the api
>> to launch the spider, poll for it to finish. Launch an active scan, poll
>> for it to finish. Ensure passive scanning completes. Then report.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "OWASP ZAP User Group" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/
>> topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> zaproxy-user...@googlegroups.com.
failing because of wrong API key. [1]
There's an example in:
https://github.com/soprasteria/zap-api-python/blob/4b7e5ddbcac9401549a6bb3c857df46b13f8814a/src/examples/zap_example_api_script.py
[1] https://github.com/zaproxy/zaproxy/wiki/FAQapikey
Best regards.
On 22/11/17 02:33, cdhgold wrote:
> I know I have to use a api tool like the python client but it craps out on
> me
>
> Can you give me some examples?
>
> On Nov 21, 2017 7:42 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:
>
>> If you want to take advantage of context you have to interact with the api
>> to launch the spider, poll for it to finish. Launch an active scan, poll
>> for it to finish. Ensure passive scanning completes. Then report.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "OWASP ZAP User Group" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/
>> topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
cdhgold
Nov 22, 2017, 5:23:35 AM11/22/17
to zaprox...@googlegroups.com
Thanks I get back into office at 7am CST & will check it out then
On Nov 22, 2017 2:54 AM, <thc...@gmail.com> wrote:
The Python script you posted earlier looks correct. It's probably
failing because of wrong API key. [1]
There's an example in:
https://github.com/soprasteria/zap-api-python/blob/4b7e5ddbcac9401549a6bb3c857df46b13f8814a/src/examples/zap_example_api_script.py
[1] https://github.com/zaproxy/zaproxy/wiki/FAQapikey
Best regards.
On 22/11/17 02:33, cdhgold wrote:
> I know I have to use a api tool like the python client but it craps out on
> me
>
> Can you give me some examples?
>
> On Nov 21, 2017 7:42 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:
>
>> If you want to take advantage of context you have to interact with the api
>> to launch the spider, poll for it to finish. Launch an active scan, poll
>> for it to finish. Ensure passive scanning completes. Then report.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "OWASP ZAP User Group" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/
>> topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> To view this discussion on the web visit https://groups.google.com/d/
>> msgid/zaproxy-users/4906d91a-34c0-4714-a1c8-edc535d53741%
>> 40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/XIQqK2RXC1M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/7e55c96b-6b80-71c8-980a-8cc845d1af63%40gmail.com.
Chris Goldsmith
Nov 22, 2017, 10:33:27 AM11/22/17
to OWASP ZAP User Group
first off thanks the info and assistance - i solved for what was keeping the simple python script from running - now just need to get full functioning version working
I took the example you linked to and modified it with our values however when I run it - it does not appear to work as i get fairly sparse, generic, empty results as shown in the attached html file it outputs - I have also attached my version that has been scrubbed out for IP and credentials - the sample app we are trying / testing against is just the default tomcat app and it's manager section - I know I've got junk wrong just not sure of what or what the correct is -
kingthorin+owaspzap
Nov 22, 2017, 10:55:36 AM11/22/17
to OWASP ZAP User Group
For your context inclusion on line 92 you need to escape the URL properly (see the example back on line 45).
Your loginRequestData doesn't seem to be formatted (URL Encoded) correctly, see the example on L128-129
The logged out indicator you defined (or left defined) seems to be for webgoat (L145).
There might be other things, but that's what I noticed quickly.
I suggest that you get your scan working properly in the GUI first, then try doing it with the script/API.
Your loginRequestData doesn't seem to be formatted (URL Encoded) correctly, see the example on L128-129
The logged out indicator you defined (or left defined) seems to be for webgoat (L145).
There might be other things, but that's what I noticed quickly.
I suggest that you get your scan working properly in the GUI first, then try doing it with the script/API.
cdhgold
Nov 22, 2017, 11:07:37 AM11/22/17
to zaprox...@googlegroups.com
thanks problem is that so far our scan have been manually done via someone running zap in background on Windows box and manually navigating the browser to fill in the auth details and I'm still trying to get zap GUI set right to do the auth in automated manner
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/89ad04c3-b6f3-4a7a-be60-acb50441b00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chris Goldsmith
Nov 22, 2017, 1:19:08 PM11/22/17
to OWASP ZAP User Group
This is driving me nuts !! I got it work in the GUI ( boundary_gui_out.html) and saved that session / context data ( boundary_app_ip.sesion) and copied that to linux server for the cmd line run.
I updated the python script ( boundary_scrubbed).py to use the new session data and it ran without syntax errors but gave me the empty results in report2.html
kingthorin+owaspzap
Nov 22, 2017, 2:05:24 PM11/22/17
to OWASP ZAP User Group
In the python script your regexes and loginrequestdata still seem to be wrong.
You don't need to copy the session/context data if you're setting isNewSession = True on line 36. If you're loading then you need to copy all the necessary files as discussed earlier in this thread (not just the one).
Further at 84 you define defineNewContext = True so really even if you were properly copying the session/context files it wouldn't be used.
You don't need to copy the session/context data if you're setting isNewSession = True on line 36. If you're loading then you need to copy all the necessary files as discussed earlier in this thread (not just the one).
Further at 84 you define defineNewContext = True so really even if you were properly copying the session/context files it wouldn't be used.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/89ad04c3-b6f3-4a7a-be60-acb50441b00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
cdhgold
Nov 22, 2017, 2:40:16 PM11/22/17
to zaprox...@googlegroups.com
since I posted my last reply I found this video which shows me better how to set the regex for login / logout indicators https://www.youtube.com/watch?v=cR4gw-cPZOA&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB&index=7
I'll keep this thread updated however my work day ends at 3pm CST till Monday so I may go "quiet" before it gets solved
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6da402d3-438a-4f97-aa1d-1a6df4073b9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages