Cannot Connect to OWASP ZAP server remotely

[Terry Camerlengo]

I have a dedicated OWASP ZAP virtual server that I would like to connect to remotely in the following ways.

1.) From a unit test on a build machine.

2.) Using the Microsoft Team Foundation Server marketplace plugin and included as a step in a build definition. Found here.. https://marketplace.visualstudio.com/items?itemName=kasunkodagoda.owasp-zap-scan

3.) Using OWASP ZAP 2.7.0 and all testing was conducted on Windows

Even though both are different use cases, I seem to be running into the same problem either way which is I cannot establish a connection to the OWASP server/port. Here is what I have tried:

1.) I setup the local proxies to listen on 0.0.0.0 on port 8080. I then start the ZAP proxy in a variety of ways (from a batch, headless, and even using the GUI - all scenarios tried).

2.) I disabled the firewall just for a sanity check.

3.) I used a portqry to inspect the ports on the server from a remote box. It reports the 8080 port as listening. Which I suspect means it should receive connections.

After that  I configured the market plugin with the ip address + port, the API key, and a target url to scan. I get a "root element is missing" error.  When running OWASP in headless mode I monitored the output window on the server, and it looks like no connections were being received by OWASP. Confused with the message, I decided to build a unit test using the nuget package OWaspZAPDotNetAPI in order to get a better feel for what is going on. I created a simple unit test which included the plugin and tried connecting to my remote OWASP server. Same problem - "root element is missing". Stack trace was not very informative but seems like the same issue - cannot connect to OWASP.

So then I decided to install OWASP locally and run the unit test, and I was instantly able to establish a connection to a local OWASP server and perform a spider. 

What step am I missing in order to start a scan remotely and receive a report? Does OWASP ZAP support this functionality?

Thanks. 

[Simon Bennetts]

Hi Terry,

We had to increase the security of the ZAP API in 2.6.0 due to a set of vulnerabilities discovered by security researchers.
See this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQapikey
More details are in the 2.6.0 Release Notes: https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

We probably need to make this info easier to find :/

Cheers,

Simon

[Terry Camerlengo]

Thanks for the response Simon. Still no luck however. If I am reading this correctly I need to do one of the following when starting ZAP from a console.

this would accept all connections starting with an ip address of 24 and run as a daemon headless

>zap.bat -config api.addrs.addr.name=24.* -config api.addrs.addr.regex=true -daemon

this would allow all connections from anywhere, no restrictions

>zap.bat -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -daemon

this would allow connections only from a speciifc machine

>zap.bat -config api.addrs.addr.name=24.24.24.24  -daemon

this would change the api key and is optional. I excluded this step

>zap.bat -config api.jey=my_new_key -daemon

I tried the above, but same results as before. What am I missing?

Thanks in advance for the help.

[Simon Bennetts]

Are you supplying the API key?
If not then that will probably be a problem - if you dont set one (via something like "-config api.key=change-me-9203935709") then ZAP will set a random one which you wont know, and therefore you wont be able to use the API.
So do that or use "-config api.disablekey=true" to disable it.
If you're still having problems then look in the zap.log file (as per https://github.com/zaproxy/zaproxy/wiki/FAQhelp#check-the-log-file) and see if there are any errors or warnings in there.

Cheers,

Simon

[Terry Camerlengo]

Ok, I had some success connecting, but then got a number of errors. But I did make a connection. This may require a different post, but I got errors of the form of <owaspurl>?<targeturl> time outs...The target site was https. What sort of setup do I need to do to make sure running owasp as a daemon in terms of certificates, proxy setups under internet options/connections? Is the setup the same as it would be if using the GUI? Is this documented somewhere? 

Should my local proxy be set to 0.0.0.0:8081?

THanks Simon..

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Pzlsjp5usEE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c42d52cd-a91c-4a55-9390-1b89942c938e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[kingthorin+owaspzap]

If you have localproxy set to 0.0.0.0:port that means it's listening on that port on all available network interfaces.

[Terry Camerlengo]

I did a little more digging and I think I am experiencing this issue here: https://github.com/zaproxy/zaproxy/issues/2318 , only difference is this is happening on azure, instead of aws. But I do not think that is all that relevant.

First off, using api.disablekey=true, and the regex wildcard does nothing for me. i am unable to establish any connection remotely with either approach. So what I do is the following:

I pass in an apikey as a config option, as Simon suggested. then I specify the IP address like the FAQ -config api.addrs.addr.name=123.456.789.123.   

then I start ZAP in daemon mode and from a different machine I try and connect to the remote ZAP server and it hangs for a while and then reports this:

Failed to read http:/<my ip address here>:8081/ within 32 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

Once this message appears, the ZAP server console (and to the logs) starts writing what seems to be an infitinite loop of sorts:

179338 [ZAP-ProxyThread-5293] WARN org.parosproxy.paros.core.proxy.ProxyThread  - Failed to read http://<ip addr>:8081/ within 32 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

179338 [ZAP-ProxyThread-5292] WARN org.parosproxy.paros.core.proxy.ProxyThread  - Failed to read http://<ip addr>:8081/favicon.ico within 32 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

this goes on for a long time. Interesting if I change the lan settings to a local proxy then sometimes the above URL will have the targetURL (the website as an address) as an cmd parameter. Not really sure what is going on.

[kingthorin+owaspzap]

I'd suggest getting it setup locally, so that you can be sure/clear of the details. Then try moving to the cloud.

[Terry Camerlengo]

That is good advice and can work as a temporary solution.  But longer term, I need to understand if Zap supports this use case. Does this functionality work? 

For instance, is it possible to use the Owasp Zap vsts marketplace plugin with a remote Owasp server? If not, then fine...we know it only works when Owasp is run locally. 

If Owasp can work remotely with the marketplace plugin, then what settings do I need to make. There aren't that many and I have tried just about every possible combination. So if it is possible to get Owasp 2.7 to run remotely, i would like to know how. Otherwise, i will move on to a different approach or solution.

Thanks 

On Feb 6, 2018 7:28 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:

I'd suggest getting it setup locally, so that you can be sure/clear of the details. Then try moving to the cloud.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Pzlsjp5usEE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/cbb793c5-a08c-4988-b4f5-3f23ca1c154e%40googlegroups.com.

[kingthorin+owaspzap]

So you're probably right, with azure there us likely a NAT issue similar to aws.

Yes you can install add-ons from the marketplace via the cli, eg:
https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline
https://github.com/zaproxy/zaproxy/issues/2171

[Terry Camerlengo]

Thanks kingthorin.

I will check out those links. It does work like a charm locally. 

Is there a best practice in the OWASP community for automating apis operations/scans as part of a daily or CI build process? A path well-trodden and documented?  

On Monday, February 5, 2018 at 8:22:56 AM UTC-5, Terry Camerlengo wrote:

[kingthorin+owaspzap]

You should be able to find lots. Just fire up your favorite search engine.

Here's a few things to get you started:
https://www.slideshare.net/psiinon/automating-owasp-zap-devcseccon-talk
https://www.slideshare.net/psiinon/alldaydevops-zap-automation-in-ci
https://www.slideshare.net/SherifMansour2/scripts-that-automate-owasp-zap-as-part-of-a-continuous-delivery-pipeline-66901802
https://zaproxy.blogspot.ca/2016/11/announcing-official-zap-jenkins-plugin.html
https://zaproxy.blogspot.ca/2017/06/scanning-apis-with-zap.html

[Terry Camerlengo]

This was solved by setting up a reverse proxy on the server running OWASP.

[Lokesh Singhal]

Hi Terry, 

What steps you followed ?

I am also trying to do it.

My automation code is on my machine and i have installed ZAP on some other machine.

I want, when I run my code, it shall trigger the ZAP on my machine in daemon mode and run the automation successfully.

Thanks

Lokesh

[Terry Camerlengo]

Lokesh,

We had some success setting up a reverse proxy on the Owasp server. Have you looked at that setup.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Pzlsjp5usEE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8ecc9074-3dce-4e22-9c7b-52601a890577%40googlegroups.com.

[Kyle Lee]

I was able to access the API remotely by setting up a reverse proxy with Nginx.

I'm getting another error though:

2020-04-27T14:31:49.5244090Z ##[error]Task Failed. Error: "A scan failed to complete."

I am running on Azure Devops release pipeline through the marketplace addon. The ZAp server is running on docker.

124378 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - Discard Session

124393 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - New Session

124394 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - Create and Open Untitled Db

124418 [ZAP-ProxyThread-1] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache commit start

124424 [ZAP-ProxyThread-1] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache commit end

124449 [ZAP-ProxyThread-1] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - Database closed

124622 [ZAP-ProxyThread-1] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache open start

124629 [ZAP-ProxyThread-1] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache open end

On Tuesday, 14 August 2018 23:26:06 UTC-4, Terry Camerlengo wrote:

Lokesh,

We had some success setting up a reverse proxy on the Owasp server. Have you looked at that setup.

On Tue, Aug 14, 2018, 12:03 PM Lokesh Singhal <lokesh....@gmail.com> wrote:

Hi Terry, 

What steps you followed ?

I am also trying to do it.

My automation code is on my machine and i have installed ZAP on some other machine.

I want, when I run my code, it shall trigger the ZAP on my machine in daemon mode and run the automation successfully.

Thanks

Lokesh

On Friday, February 9, 2018 at 2:35:18 AM UTC+5:30, Terry Camerlengo wrote:

This was solved by setting up a reverse proxy on the server running OWASP.

On Wednesday, February 7, 2018 at 3:10:37 PM UTC-5, kingthorin+owaspzap wrote:

You should be able to find lots. Just fire up your favorite search engine.

Here's a few things to get you started:
https://www.slideshare.net/psiinon/automating-owasp-zap-devcseccon-talk
https://www.slideshare.net/psiinon/alldaydevops-zap-automation-in-ci
https://www.slideshare.net/SherifMansour2/scripts-that-automate-owasp-zap-as-part-of-a-continuous-delivery-pipeline-66901802
https://zaproxy.blogspot.ca/2016/11/announcing-official-zap-jenkins-plugin.html
https://zaproxy.blogspot.ca/2017/06/scanning-apis-with-zap.html

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Pzlsjp5usEE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to zaprox...@googlegroups.com.