ZAP API ascan: Scan Tree
1,020 views
Skip to first unread message
axi...@googlemail.com
Feb 11, 2013, 12:18:02 PM2/11/13
to zaproxy...@googlegroups.com
Hi,
I'd like to run ZAP automatically to perform active scans on selected URLs.
After starting ZAP in daemon mode and calling clientApi.ascan.scan() I got stuck with errors like "URL Not Found in the Scan Tree (url_not_found)".
Basic calls to the API seem to work: clientApi.core.shutdown() works as expected.
Is there a way to activate a URL for scanning or to put it in the scan tree using the Java API?
Kind regards,
Markus
I'd like to run ZAP automatically to perform active scans on selected URLs.
After starting ZAP in daemon mode and calling clientApi.ascan.scan() I got stuck with errors like "URL Not Found in the Scan Tree (url_not_found)".
Basic calls to the API seem to work: clientApi.core.shutdown() works as expected.
Is there a way to activate a URL for scanning or to put it in the scan tree using the Java API?
Kind regards,
Markus
psiinon
Feb 11, 2013, 12:34:52 PM2/11/13
to zaproxy...@googlegroups.com
Hi Markus,
The easiest way to do this is just request the URL while proxying via ZAP.
The Java ClientApi has a 'accessUrl (String)' method which will do this for you.
You can also use the Spider to explore your app, or proxy regression tests.
We've talked about adding methods/options which would mean you dont have to do this, but so far not added any - thaqt may change in the future of course.
Cheers,
Simon
The easiest way to do this is just request the URL while proxying via ZAP.
The Java ClientApi has a 'accessUrl (String)' method which will do this for you.
You can also use the Spider to explore your app, or proxy regression tests.
We've talked about adding methods/options which would mean you dont have to do this, but so far not added any - thaqt may change in the future of course.
Cheers,
Simon
axi...@googlemail.com
Feb 12, 2013, 2:56:22 AM2/12/13
to zaproxy...@googlegroups.com
Hi Simon,
Thanks a lot for your quick reply!
Some things still look a bit strange:
1) accessUrl() does not seem to work with https urls. Even for hosts which work fine in the proxy mode and can also be scanned via the gui ("Active Scan single URL") I get an error like this one:
Open URL: https://www.owasp.org/index.php
org.zaproxy.clientapi.core.ClientApiException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.zaproxy.clientapi.core.ClientApi.accessUrlViaProxy(ClientApi.java:331)
at org.zaproxy.clientapi.core.ClientApi.accessUrl(ClientApi.java:84)
2) accessUrl() works for http hosts, but clientApi.ascan.scan(url, "false", "true") doesn't. I don't get an exception and I can even see "scanner started", entries for different scans and also "scanner completed" in the ZAP console, but the scanner run takes almost zero seconds and I can not see a single HTTP request over the network (I used wireshark).
Again - when I perfom the same action "Active Scan single URL" for the same url via the ZAP gui, everything is fine, the scanner takes some seconds, but it also produces results and I can also see all the http requests in wireshark.
Could you please give me a hint where I could start debugging these issues?
Kind regards,
Markus
psiinon
Feb 12, 2013, 4:18:14 AM2/12/13
to zaproxy...@googlegroups.com
Hi Markus,
For HTTPS you need to generate a Root CA certificate.
You can do this via the UI ("Tools" / "Options..." / "Dynamic SSL Certificate" / "Generate") of via the API (a core action: generateRootCA)
You may also need to import and trust the cert as a root CA cert in you client - that depends what client you are using.
You'll need to do that for your browser if you want to prevent the usual warnings.
You should probably be using clientApi.ascan.scan(url, "true", "false") - use recurse=true to scan the subtree (which may or may not be what you want) and only use inScopeOnly=true if you have declared one or more contexts.
I suspect you havnt which will be why you dont see any network traffic - if you have inScopeOnly=true and the url you specify is not in a context thats in scope then ZAP will ignore it.
Cheers,
Simon
For HTTPS you need to generate a Root CA certificate.
You can do this via the UI ("Tools" / "Options..." / "Dynamic SSL Certificate" / "Generate") of via the API (a core action: generateRootCA)
You may also need to import and trust the cert as a root CA cert in you client - that depends what client you are using.
You'll need to do that for your browser if you want to prevent the usual warnings.
You should probably be using clientApi.ascan.scan(url, "true", "false") - use recurse=true to scan the subtree (which may or may not be what you want) and only use inScopeOnly=true if you have declared one or more contexts.
I suspect you havnt which will be why you dont see any network traffic - if you have inScopeOnly=true and the url you specify is not in a context thats in scope then ZAP will ignore it.
Cheers,
Simon
Vinothini Pandurangan
May 6, 2016, 1:12:17 AM5/6/16
to OWASP ZAP Developer Group
Hi Markus,
Have you got this worked?
I'm facing the same issue when I try to add the url with https through accessUrl() method to scan through API.
org.zaproxy.clientapi.core.ClientApiException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Same url is working fine with ZAP tool. But I will have to do the same with API.
Thanks,
Vinothini
thc...@gmail.com
May 6, 2016, 4:41:21 AM5/6/16
to zaproxy...@googlegroups.com
For the record this question was answered in:
https://groups.google.com/d/topic/zaproxy-develop/PPqg7QCaSmM/discussion
Best regards.
On 06/05/16 06:12, Vinothini Pandurangan wrote:
> Hi Markus,
> Have you got this worked?
> I'm facing the same issue when I try to add the url with *https*
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
https://groups.google.com/d/topic/zaproxy-develop/PPqg7QCaSmM/discussion
Best regards.
On 06/05/16 06:12, Vinothini Pandurangan wrote:
> Hi Markus,
> Have you got this worked?
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages