Connection refused when spidering using ZAP API Client
1,842 views
Skip to first unread message
Ayman Touzi
Jan 31, 2014, 10:41:08 AM1/31/14
to zaprox...@googlegroups.com, aymen...@yahoo.fr
Hi,
I'm trying to automate security scans using Zed Attack Proxy: I setup loaclly a test environmeent and i execute scans successufully using ZAP API (using ANT).
The ANT target startup ZAP as Deamon, sprider an application URL, execute an active scan, wait some few second until the passive scanner thread is finished, save the ZAP session and stop ZAP.
When I execute the ANT file (using ant or from Eclipse), the scan is performed successufully. I tried to prepare a Jenkins Job that invokes the ant file however i obtained the following error:
I'm trying to automate security scans using Zed Attack Proxy: I setup loaclly a test environmeent and i execute scans successufully using ZAP API (using ANT).
The ANT target startup ZAP as Deamon, sprider an application URL, execute an active scan, wait some few second until the passive scanner thread is finished, save the ZAP session and stop ZAP.
When I execute the ANT file (using ant or from Eclipse), the scan is performed successufully. I tried to prepare a Jenkins Job that invokes the ant file however i obtained the following error:
spider: [spiderUrlTask] Open URL: http://zap/xml/spider/action/scan/?url=http://192.168.91.133:8088/bodgeit/& BUILD FAILED C:\.jenkins\jobs\BodgeIT Update Basket Dynamic Security Assessment Job\workspace\build.xml:84: The following error occurred while executing this line: C:\.jenkins\jobs\BodgeIT Update Basket Dynamic Security Assessment Job\workspace\zap-build.xml:44: org.zaproxy.clientapi.core.ClientApiException: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source) at org.zaproxy.clientapi.gen.Spider.scan(Unknown Source) at org.zaproxy.clientapi.core.ClientApi.spiderUrl(Unknown Source) at org.zaproxy.clientapi.ant.SpiderUrlTask.execute(Unknown Source) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106) at org.apache.tools.ant.Task.perform(Task.java:348) at org.apache.tools.ant.Target.execute(Target.java:435) at org.apache.tools.ant.Target.performTasks(Target.java:456) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393) at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:38) at org.apache.tools.ant.Project.executeTargets(Project.java:1248) at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:440) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106) at org.apache.tools.ant.Task.perform(Task.java:348) at org.apache.tools.ant.Target.execute(Target.java:435) at org.apache.tools.ant.Target.performTasks(Target.java:456) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393) at org.apache.tools.ant.Project.executeTarget(Project.java:1364) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1248) at org.apache.tools.ant.Main.runBuild(Main.java:851) at org.apache.tools.ant.Main.startAnt(Main.java:235) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109) Caused by: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect at org.zaproxy.clientapi.core.ClientApi.callApiDom(Unknown Source) ... 32 more Caused by: java.net.ConnectException: Connection refused: connect at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at sun.net.NetworkClient.doConnect(NetworkClient.java:180) at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) at sun.net.www.http.HttpClient$1.run(HttpClient.java:484) at sun.net.www.http.HttpClient$1.run(HttpClient.java:482) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.http.HttpClient.privilegedOpenServer(HttpClient.java:481) at sun.net.www.http.HttpClient.openServer(HttpClient.java:522) at sun.net.www.http.HttpClient.<init>(HttpClient.java:211) at sun.net.www.http.HttpClient.New(HttpClient.java:308) at sun.net.www.http.HttpClient.New(HttpClient.java:326) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:996) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:975) at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:850) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) ... 33 more Total time: 28 seconds Executing iterative Build Steps.
what should be done from my side to fix this issue??
Thank you for your understanding and have a nice day.
Regards,
Aymen
Simon Bennetts
Jan 31, 2014, 10:51:31 AM1/31/14
to zaprox...@googlegroups.com, aymen...@yahoo.fr
Hi Aymen,
Strange that it works via Ant but not via Jenkins :/
It looks like the client API is failing to connect to the ZAP API.
How are you initializing the ClientApi ?
The url http://zap/xml/spider/action/scan/?url=http://192.168.91.133:8088/bodgeit/& will only work if the ClientAPI is successfully proxying via ZAP.
If you're initializing it with localhost (eg something like: ClientApi("localhost", 8080); ) then you could try using the real IP address instead of localhost.
Is the Jenkins server on the same machine that you use Ant from?
If not it would be worth trying it with Ant on the same machine.
Cheers,
Simon
Strange that it works via Ant but not via Jenkins :/
It looks like the client API is failing to connect to the ZAP API.
How are you initializing the ClientApi ?
The url http://zap/xml/spider/action/scan/?url=http://192.168.91.133:8088/bodgeit/& will only work if the ClientAPI is successfully proxying via ZAP.
If you're initializing it with localhost (eg something like: ClientApi("localhost", 8080); ) then you could try using the real IP address instead of localhost.
Is the Jenkins server on the same machine that you use Ant from?
If not it would be worth trying it with Ant on the same machine.
Cheers,
Simon
Ayman Touzi
Feb 3, 2014, 3:01:51 AM2/3/14
to zaprox...@googlegroups.com, aymen...@yahoo.fr
Hi Simon,
Thank you for the quick replay
for the initialization, it is standard using the following properties defined in a dedicated file (local.properties):
# The ZAP address
zap.addr=127.0.0.1
# The ZAP port
zap.port=8090
The call is ensured using the following ANT call:
<target name="executeSecurityTests" description="This target aims to launch ZAP and execute security scans on the target application">
<!-- Start ZAP -->
<ant antfile="zap-build.xml" target="startZapDaemon" inheritall="false" />
<sleep seconds="5"/>
<ant antfile="zap-build.xml" target="spider" inheritAll="false"/>
<!-- Active scan the whole site -->
<ant antfile="zap-build.xml" target="activeScan" inheritAll="false"/>
<sleep seconds="10"/>
<!-- Give the passive scanner thread a chance to catch up -->
<sleep seconds="30"/>
<ant antfile="zap-build.xml" target="saveZapSession" inheritAll="false" />
<!-- Stop ZAP -->
<ant antfile="zap-build.xml" target="stopZap" inheritAll="false"/>
</target>
The detailed zap-build.xml file is attached.
Note that the Jenkins server is on the same machine that i used Ant from. I changed zap.addr from localhost to 127.0.0.1 but I stillhave the same issue. when I try the real IP address, I obtain the error even when i execute it directly using ANT.
Thank you for your understanding and have a nice week.
Kind Regards,
Aymen
Thank you for the quick replay
for the initialization, it is standard using the following properties defined in a dedicated file (local.properties):
# The ZAP address
zap.addr=127.0.0.1
# The ZAP port
zap.port=8090
The call is ensured using the following ANT call:
<target name="executeSecurityTests" description="This target aims to launch ZAP and execute security scans on the target application">
<!-- Start ZAP -->
<ant antfile="zap-build.xml" target="startZapDaemon" inheritall="false" />
<sleep seconds="5"/>
<ant antfile="zap-build.xml" target="spider" inheritAll="false"/>
<!-- Active scan the whole site -->
<ant antfile="zap-build.xml" target="activeScan" inheritAll="false"/>
<sleep seconds="10"/>
<!-- Give the passive scanner thread a chance to catch up -->
<sleep seconds="30"/>
<ant antfile="zap-build.xml" target="saveZapSession" inheritAll="false" />
<!-- Stop ZAP -->
<ant antfile="zap-build.xml" target="stopZap" inheritAll="false"/>
</target>
The detailed zap-build.xml file is attached.
Note that the Jenkins server is on the same machine that i used Ant from. I changed zap.addr from localhost to 127.0.0.1 but I stillhave the same issue. when I try the real IP address, I obtain the error even when i execute it directly using ANT.
Thank you for your understanding and have a nice week.
Kind Regards,
Aymen
Reply all
Reply to author
Forward
0 new messages