ZAP API scan with custom policy
338 views
Skip to first unread message
Kav
May 4, 2021, 5:07:37 AM5/4/21
to OWASP ZAP User Group
Hi,
I am trying the docker API scanner for ZAP with a custom policy which includes SQL injection, etc. This is because the SQL injection vulnerabilities are found in the UI for the target under scanner while the API minimal scanning policy excludes such vulnerabilities. I am trying the command (windows, powershell):
docker run -v ${pwd}:/zap/wrk/:rw -v ${pwd}/policies:/home/zap/.ZAP/policies/ -t owasp/zap2docker-stable zap-api-scan.py -t https://target/v2/api-docs -f openapi -r custom-policy.html -d
Scanning is completed, but report is not generated. The scanner quits with the following error:
I am trying the docker API scanner for ZAP with a custom policy which includes SQL injection, etc. This is because the SQL injection vulnerabilities are found in the UI for the target under scanner while the API minimal scanning policy excludes such vulnerabilities. I am trying the command (windows, powershell):
docker run -v ${pwd}:/zap/wrk/:rw -v ${pwd}/policies:/home/zap/.ZAP/policies/ -t owasp/zap2docker-stable zap-api-scan.py -t https://target/v2/api-docs -f openapi -r custom-policy.html -d
Scanning is completed, but report is not generated. The scanner quits with the following error:
1014424 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host https://target in 965.13s with 18 alert(s) raised.
1014424 [Thread-6] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 965.174s
1017293 [ZAP-DomXssReaper] INFO org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0
1020693 [ZAP-ProxyThread-421] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/view/scanners/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: does_not_exist
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.getScanPolicyFromParams(ActiveScanAPI.java:742) ~[zap-2.10.0.jar:2.10.0]
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiView(ActiveScanAPI.java:1071) ~[zap-2.10.0.jar:2.10.0]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:526) [zap-2.10.0.jar:2.10.0]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.10.0.jar:2.10.0]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.10.0.jar:2.10.0]
at java.lang.Thread.run(Thread.java:834) [?:?]
2021-05-04 08:55:02,550 Trigger hook: pre_exit, args: 3
What could be the reason?
Thanks and Regards,
Kavitha
What could be the reason?
Thanks and Regards,
Kavitha
Simon Bennetts
May 4, 2021, 10:17:52 AM5/4/21
to OWASP ZAP User Group
Hi Kavitha,
My initial guess is that you are failing to load the custom policy.
Does it work ok if you dont specify it?
When I've done this before I've copied the policy into the relevant policies directory when building the docker image.
Cheers,
Simon
Kavitha Pandian
May 4, 2021, 12:23:25 PM5/4/21
to zaprox...@googlegroups.com
Hi Simon,
I can see that the "policies" directory is overwritten properly inside the docker image.
It also works when I run the docker image without any commands, copy the policy separately and then call the API scan.
I can try to copy while building the image.
Best regards,
Kavitha
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/vj_4lU58QDE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b8558a33-70a4-41d5-9375-c6e628594f12n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages