Testing ZAP-Proxy with JAVA client

[Usman Waheed]

Hi,

I took the code from the ZAP documentation and stripped it down so that it only does the following:

1. Start the ZAP proxy in daemon mode on port 8090

2. Surf a URL, http://localhost:8080/bodgeit

3. Stop the ZAP proxy

The code looks like:

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.net.HttpURLConnection;

import java.net.InetSocketAddress;

import java.net.Proxy;

import java.net.URL;

import java.util.ArrayList;

import java.util.List;

public class DaemonWaveIntegrationTest {

        private List<String> openUrlViaProxy (Proxy proxy, String apiurl) throws Exception {

                List<String> response = new ArrayList<>();

                URL url = new URL(apiurl);

                HttpURLConnection uc = (HttpURLConnection)url.openConnection(proxy);

                uc.connect();

                BufferedReader in = new BufferedReader(new InputStreamReader(uc.getInputStream()));

                String inputLine;

                while ((inputLine = in.readLine()) != null) {

                        response.add(inputLine);

                }

                in.close();

                return response;

        }

        private void startZAP () throws Exception {

                // ZAP.main(new String[]{"-daemon"});

                // Thread.sleep(5000);

        }

        private void stopZAP (Proxy proxy) throws Exception {

                // TODO not found a reliable way of doing this inline yet :(

        }

        public void testDaemonWave () throws Exception {

                startZAP();

                Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("localhost", 8090));

                // Access one page via the proxy

                openUrlViaProxy(proxy, "http://localhost:8080/bodgeit/");

                Thread.sleep(2000);

                stopZAP(proxy);

        }

        public static void main(String[] args) throws Exception {

                DaemonWaveIntegrationTest test = new DaemonWaveIntegrationTest();

                test.testDaemonWave ();

        }

}

The above works if i manually start the ZAP proxy and have it running on port 8090. 

What i am missing is the API calls inside the startZAP and stopZAP methods. Can anyone point to any clues here please. Tried to look for some documentation that better explains 

the API calls but could not find it. Will appreciate it.

Thanks and Regards,

Usman

[thc202]

Hi.

Example code to start ZAP, access the target and stop ZAP using Java:

import org.zaproxy.clientapi.core.ClientApi;

public class ZapJavaClientExample {

    private static final int ZAP_PORT = 8090;

    private static final String TARGET = "http://localhost:8080/bodgeit/";

    private static void startZap() throws Exception {
        System.out.println("Starting ZAP...");
        // Path to zap.sh or zap.bat
        new ProcessBuilder("/path/to/zap.sh", "-daemon", "-port " + ZAP_PORT).start();

        System.out.println("Waiting for ZAP...");
        Thread.sleep(15000);

    }

    public static void main(String[] args) throws Exception {

        startZap();

        final ClientApi clientApi = new ClientApi("localhost", ZAP_PORT);

        System.out.println("Accessing target: " + TARGET);
        clientApi.accessUrl(TARGET);

        System.out.println("Shutdown ZAP.");
        clientApi.core.shutdown();
    }
}

In the example I'm using the ZAP Java Client API [1] (which is bundled with ZAP, although there's a newer version available).

If the use of ZAP Java Client does not suit your needs you can stop ZAP by calling the "shutdown" API action:

private void stopZAP (Proxy proxy) throws Exception {

    openUrlViaProxy(proxy, "http://zap/JSON/core/action/shutdown/");
}

[1] https://code.google.com/p/zaproxy/downloads/list?q=java+client+api

Best regards.

[Usman Waheed]

Hi,

Your example code works and i tested and verified it.

I intend to work with the API to perform a spider and active scan against a list of urls which i am going to test next.

Will post my findings here, i do have to say that the JAVA API docs can be improved for beginners like us, maybe i can help to compile 

the examples and post them on the wiki, just a thought?

Thanks,

Usman

Final sample code:

import org.zaproxy.clientapi.core.ClientApi;

public class ZapJavaClientExample {

   private static final int ZAP_PORT = 8090;

   private static final String TARGET = "http://localhost:8080/bodgeit/";

   private static void startZap() throws Exception {

        System.out.println("Starting ZAP...");

        // Path to zap.sh

        new ProcessBuilder("/home/usmanw/ZAP_2.1.0/zap.sh", "-port " + ZAP_PORT).start();

        System.out.println("Waiting for ZAP to start...");

        Thread.sleep(15000);

   }

   public static void main(String[] args) throws Exception {

        startZap();

        final ClientApi clientApi = new ClientApi("localhost", ZAP_PORT);

        System.out.println("Accessing target: " + TARGET);

        clientApi.accessUrl(TARGET);

        

        System.out.println("Shutting down ZAP...");

        clientApi.core.shutdown();

    }

}

Please note: I started ZAP in UI mode and not daemon mode just to cross-check if the URL is accessed. In order to start in daemon mode you can use:

new ProcessBuilder("/path/to/zap.sh", "-daemon", "-port " + ZAP_PORT).start();

[psiinon]

Yes, some of the feedback from the questionnaire shows a lot of people are having problems with the API docs :(
If you could help improve them then that would be great :D
Your perspective is likely to be much closer to what other people are looking for than mine is (I've written most of the API docs, so they are my fault;)

Many thanks,

Simon

[Usman Waheed]

Hi Simon,

Not a problem. If you can point me where to post the doc's (maybe a wiki?) i can post out the examples there as i work on my stuff etc.

I assume novice users like me find the API docs a little too advanced but they do make sense and might require some updates.

Would be more than glad to compile the documentation with examples.

Regards,

Usman

On Thursday, June 20, 2013 2:26:46 PM UTC+2, Usman Waheed wrote:

[Usman Waheed]

Thc202 asked me to post the example final code i have to stop/start the ZAP proxy.

Pasting it here so it might be useful for someone else as well.

import org.zaproxy.zap.*;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;

import java.util.Properties;
import net.sf.json.*;

public class Test {

  private List<String> openUrlViaProxy (Proxy proxy, String apiurl) throws Exception {
    List<String> response = new ArrayList<>();
    URL url = new URL(apiurl);
    HttpURLConnection uc = (HttpURLConnection)url.openConnection(proxy);
    uc.connect();

    BufferedReader in = new BufferedReader(new InputStreamReader(uc.getInputStream()));

    String inputLine;
    while ((inputLine = in.readLine()) != null) {
            response.add(inputLine);
    }
    in.close();
    return response;

  }


 private void startZAP () throws Exception {

        Properties props = System.getProperties();
        props.setProperty("http.agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)");

        ZAP.main(new String[]{"-daemon"});
        Thread.sleep(10000);

 }

 private void stopZAP (Proxy proxy) throws Exception {

        openUrlViaProxy(proxy, "http://localhost:8090/json/core/action/shutdown/");

 }

 public void testDaemonWave () throws Exception {

   startZAP();
   Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("localhost", 8090));

   openUrlViaProxy(proxy, url_to_spider);
   Thread.sleep(5000);

  // Shutdown ZAP
  System.out.println("Shutting down ZAP ...");
  stopZAP(proxy);
  System.out.println("ZAP Shutdown complete ...");

 }

public static void main(String[] args) throws Exception {

  Test test = new Test();

  test.testDaemonWave();

}

[Mostafa]

Hi thc202,
I've tested the code you've posted to run the zap in daemon mode and test to see if I can access any URL from within code. But here is the error I get, when trying to run this piece of code:
Exception in thread "main" java.io.IOException: Cannot run program "C:/Program Files (x86)/OWASP/Zed Attack Proxy/zap.sh": CreateProcess error=193, %1 is not a valid Win32 application
    at java.lang.ProcessBuilder.start(ProcessBuilder.java:1041)
    at mostafa.Test2.startZap(Test2.java:14)
    at mostafa.Test2.main(Test2.java:22)
Caused by: java.io.IOException: CreateProcess error=193, %1 is not a valid Win32 application
    at java.lang.ProcessImpl.create(Native Method)
    at java.lang.ProcessImpl.<init>(ProcessImpl.java:385)
    at java.lang.ProcessImpl.start(ProcessImpl.java:136)
    at java.lang.ProcessBuilder.start(ProcessBuilder.java:1022)
    ... 2 more

Have no idea how to resolve it. Any help would be greatly appreciated.

Thanks.

[psiinon]

Hi Mostafa,

It looks like you're using Windows, so you will need to change to use either zap.bat or zap.exe rather than the Linux zap.sh script.

Cheers,

Simon

[Mostafa]

What a mistake I had made!!!
Thanks Simon.