API can't be modified in webswing

[Javi D R]

Hi

I am trying to modify the API configuration via webswing in the docker image, and the button to add new IP's to the list doesnt seem to be clickable

Has anybody had this issue before?

Thanks

[thc...@gmail.com]

Hi.

Yes, this is an issue with Webswing, more details in:
https://github.com/zaproxy/zaproxy/issues/3553

Best regards.

[Javi D R]

ah, good. Is this included in the latest stable version then?

On top of that, do you remember the issue with the random number generator that was failing in some Unix systems? Is this included as well in this new docker image?

Thanks

[Javi D R]

Hi

I have upgraded it to webswing 2.4, and i can click on the button to add/modify new ips to the API. However, the change is not reflected in the application. It is, after clicking on add button, the new ip address has not been added there

I can provide logs if you tell me where this error could be stored. The webswing.log doesnt reflect anything

On top of that, can ips be added/removed using cli?

Thanks

[thc...@gmail.com]

Right, as mentioned in the previous issue version 2.4 has also an issue
that prevents the dialogues from working properly, that's why it was not
yet been updated to that version.

> I can provide logs if you tell me where this error could be stored.
The webswing.log doesnt reflect anything

For the record, that error should be in the zap.log file.

> On top of that, can ips be added/removed using cli?

Yes, they can be added through the command line,
https://github.com/zaproxy/zaproxy/wiki/FAQapikey contains examples on
how to do that. (You need to change the Webswing configuration though.)


Regarding the previous questions:

> Is this included in the latest stable version then?

No, unfortunately there's not yet a (released) Webswing version that
works properly.

> Is this included as well in this new docker image?

No, that was not yet implemented.


Best regards.

[Javi D R]

Hi

Zap-cli doesnt seem to work from the container.There is a problem with httplib library 

zap@1d095358432f:/zap$ zap-cli start

[INFO]            Starting ZAP daemon

Traceback (most recent call last):

  File "/usr/local/bin/zap-cli", line 11, in <module>

    sys.exit(cli())

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in __call__

    return self.main(*args, **kwargs)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main

    rv = self.invoke(ctx)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke

    return _process_result(sub_ctx.command.invoke(sub_ctx))

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke

    return ctx.invoke(self.callback, **ctx.params)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke

    return callback(*args, **kwargs)

  File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func

    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke

    return callback(*args, **kwargs)

  File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 102, in start_zap_daemon

    zap_helper.start(options=start_options)

  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 57, in start

    if self.is_running():

  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 118, in is_running

    result = urllib2.urlopen(self.proxy_url)

  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen

    return opener.open(url, data, timeout)

  File "/usr/lib/python2.7/urllib2.py", line 429, in open

    response = self._open(req, data)

  File "/usr/lib/python2.7/urllib2.py", line 447, in _open

    '_open', req)

  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain

    result = func(*args)

  File "/usr/lib/python2.7/urllib2.py", line 1228, in http_open

    return self.do_open(httplib.HTTPConnection, req)

  File "/usr/lib/python2.7/urllib2.py", line 1201, in do_open

    r = h.getresponse(buffering=True)

  File "/usr/lib/python2.7/httplib.py", line 1136, in getresponse

    response.begin()

  File "/usr/lib/python2.7/httplib.py", line 453, in begin

    version, status, reason = self._read_status()

  File "/usr/lib/python2.7/httplib.py", line 417, in _read_status

    raise BadStatusLine(line)

httplib.BadStatusLine: ''

Any suggestion?

Thnaks

[thc...@gmail.com]

Is ZAP using an API key? Is the key being passed to zap-cli? (--api-key
or using the env var.)

That error might happen if the API key is not correct or the client
address is not allowed.

Which image are you using?

Best regards.

[Javi D R]

Im using owasp/zap2docker-stable 

I am just getting into the docker image and running from there the cli so i assume docker is not even started. I thought the cli will start zap engine, isnt it? If not, what are the steps to do it? Should i start the webswing first, and then call the cli with they key generated there? I assume it will tell me that the port is already in use

Thanks

[thc...@gmail.com]

Webswing starts its own ZAP instance(s), so you need to configure it
with the file:
/zap/webswing-2.3/webswing.config

You can add the required command line arguments to "args" entry:
"args" : "-host 0.0.0.0 -port 8090 -config api.key=XYZ"

and then start Webswing with:
/zap/zap-webswing.sh

Hopefully that should make ZAP work as intended.

Best regards.

[Javi D R]

I can see this config applied now, but i am still unable to connect to the docker image from the host machine

The regexp i have added should allow any connection -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

I am routing port 8081 to 8090 in the docker image

GET http://localhost:8081/ HTTP/1.1

User-Agent: curl/7.29.0

Host: localhost:8081

Accept: */*

HTTP/1.1 502 Bad Gateway

Content-Type: text/plain; charset=UTF-8

Content-Length: 2038

ZAP Error [java.net.ConnectException]: Connection refused (Connection refused)

Stack Trace:

java.net.ConnectException: Connection refused (Connection refused)

at java.net.PlainSocketImpl.socketConnect(Native Method)

at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)

at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

at java.net.Socket.connect(Socket.java:589)

at java.net.Socket.connect(Socket.java:538)

at java.net.Socket.<init>(Socket.java:434)

at java.net.Socket.<init>(Socket.java:286)

at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80)

at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)

at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)

at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)

at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)

at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)

at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)

at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)

at org.parosproxy.paros.network.HttpSender.send(Unknown Source)

at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)

at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)

at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)

at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)

at java.lang.Thread.run(Thread.java:748)

If i get into the container and do curl to localhost:8090, it works fine, but from outside i can't do it

I promise to write a nice document once we make this work completely :)

Thanks

[psiinon]

Have you tried the suggestion given in https://github.com/zaproxy/zaproxy/wiki/Docker#accessing-the-api-from-outside-of-the-docker-container

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d3efa71a-fa6a-4bff-a025-52d66e5a4131%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

OWASP ZAP Project leader

[thc...@gmail.com]

Also,

> I am routing port 8081 to 8090 in the docker image

this causes "problems" as ZAP is serving the ZAP API on port 8090 not
8081 (even though the traffic is routed from one port to the other the
HTTP requests are not rewritten to use ZAP's port).

If you proxy through 8081 but request 8090 then you should be able to
access the ZAP API, e.g.:
curl http://localhost:8090/ --proxy http://localhost:8081

(An alternative is to just let ZAP listen on 8081 removing the need for
proxying.)

Best regards.

>> email to zaproxy-user...@googlegroups.com.

>> To view this discussion on the web visit https://groups.google.com/d/
>> msgid/zaproxy-users/d3efa71a-fa6a-4bff-a025-52d66e5a4131%
>> 40googlegroups.com

>> <https://groups.google.com/d/msgid/zaproxy-users/d3efa71a-fa6a-4bff-a025-52d66e5a4131%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .

[Javi D R]

curl http://localhost:8090/ --proxy http://localhost:8081  works perfect!

Now, to refer from the python library to the API, how should i do? I am using as proxy localhost:8081. How can i do a double proxy here?

prox = {'http': 'localhost:8081', 'https': 'localhost:8081'}

apikey = 'mykeyRedacted' 

zap = ZAPv2(apikey=apikey,proxies=prox)

[thc...@gmail.com]

In case of the API clients you don't need to do any other change, just
specify the correct address/port (like you have done). The API clients
request the API with "zap" hostname, so they will always work
independently of the actual port ZAP is listening too.

That should also work with curl:
curl http://zap/ --proxy http://localhost:8081/

Best regards.

>>>> email to zaproxy-user...@googlegroups.com <javascript:>.

[Javi D R]

Fantastic. It works perfect now!

Now, i have two more questions

1 - webswing apparently goes down every time i close the browser. Is there any way to keep it continuously listening, as the normal ZAP application?

2 - This is the important bit, and it might well be a new thread. 

I want to run request from selenium, and later read the response with the API. 

How can i identify my requests? Is there any session id or similar?

I have thought about using scope, but, if i execute test.com/test and at the some time, somebody else executes another request on test.com/test, that one will overwrite my request, isnt it?

Thanks