IntelliJ + ZAP issues

[Stephen Rugh]

Hey guys, I posted in the User Group but figured this might belong in the Dev group instead.

I checked out the bodgeit application in an attempt to get ZAP running through the provided ANT script, but I'm running into a few walls:

First, I had to download, install, and rebuild the application with JDK 1.7 and point tomcat to 1.7 JRE as well. Previously (and for work) I use 1.6. Just wanted to note this for any people in the future.

Second, I had to download and copy zap-api-v2-2.jar to my IntelliJ folder under lib/ant/lib in order to resolve an issue "zap-build.xml:16: taskdef class org.zaproxy.clientapi.ant.AccessUrlTask cannot be found".

Finally, I'm stuck at a point where I've run the build deploy, but the build test and build zap-test fail.

test just says "Test com.thebodgeitstore.selenium.tests.FunctionalZAP FAILED"

zap-test hits spider->spiderUrlTask and then tries to run Open URL: http://zap/xml/spider/action/scan/?url=http://localhost:8080/bodgeit/&

and gives me 

[Fatal Error] :1:1: Content is not allowed in prolog.

bodgeit\zap-build.xml:60: org.zaproxy.clientapi.core.ClientApiException: org.zaproxy.clientapi.core.ClientApiException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.

So at this point I am stuck. I'll edit this if I can get an answer or figure it out, but I've spent the last hours working on it so it's break time :)

[psiinon]

Hi Stephen,

Yeah, the dev group is probably the right place for this :)
The 'content is not allowed in prolog' error is probably a side effect of the API not being enabled - you get a message like "Not enabled" or something - this should be in the right format (JSON/XML) and recognised by the client ;)
So you're probably starting ZAP with the UI, as if you start it with the -daemon flag then the API is automatically enabled.
To fix this in the UI go into Tools / Options ... / API and tick the 'Enabled' box.
The next problem you'll find with Bodgeit is that the Selenium jars in svn are out of date.
I hit this problem preparing for FOSDEM ;)
I'll try and check my changes to the bodgeit build, instructions and jars today and will update this thread when I've done so :)

Cheers,

Simon

[Stephen Rugh]

Well the API enabled fixed it temporarily, but upon running it a second time (and now after restarting) I get zap-build.xml:60: org.zaproxy.clientapi.core.ClientApiException: URL Not Found in the Scan Tree(url_not_found)

I remember seeing this yesterday, but I forgot how I got around it.  

[Stephen Rugh]

Update to my previous post: With the UI running or not, zap-test will fail with the URL Not Found exception. HOWEVER, if I run a single test against the url (http://localhost:8080/bodgeit/) in the UI, and THEN run the zap-test, zap-test will work properly. I don't know if this has anything to do with the outdated jars as you said earlier, but just wanted to make note of this strange issue.

[Stephen Rugh]

Started getting this error for the Task: spiderUrlTask

Open URL: http://zap/xml/spider/action/scan/?url=http://localhost:8080/bodgeit/&

zap-build.xml:60: org.zaproxy.clientapi.core.ClientApiException: URL Not Found in the Scan Tree(url_not_found)

any ideas?

[psiinon]

Yeah, I've just answered this (well, a similar question) on another thread :)
https://groups.google.com/d/topic/zaproxy-develop/l1gNaQJneSk/discussion
Basically ZAP needs to know about the URL, so you need to have proxied to it through ZAP.
But its also clear that its causing a lot of confusion ;)

Cheers,

Simon

[Stephen Rugh]

I actually saw that but wasn't quite sure what it meant. I understand now though, thanks.

To follow up: I'm attempting to run ZAP from command line by executing java -jar zap.jar -daemon

According to the wiki, this should then allow me to get to the ZAP api by http://zap/, but I may be missing something as I get nothing at that url.

[psiinon]

Hi Stephen,

Are you proxying your browser through ZAP (you'll need to)?
And have you enabled the API?

If yes to both of those - what exactly do you see?
A completely blank page or??

Thanks,

Simon

[Stephen Rugh]

Oh I see! Alright, I proxied through IE to 127.0.0.1:8090 and was able to get to http://zap. Sorry! I guess I missed that instruction somewhere along the way.

I still need to find a way to get ZAP to run via command line without having to first run a scan through the UI (as you stated previously, ZAP has to first know about the URL). I'm trying to fully automate a security scan through jenkins after a commit/build has been executed. I'm really excited, though, and I feel like I'm really close!

[Cosmin Stefan-Dobrin]

Hi,

This issue of being necessary to first navigate to a URI before starting a scan has been on my mind for a while and I was thinking we could make some modifications to the Spider API to allow it to start a spidering scan without the requirement.

I know ZAP has had the current behavior since before I joined the project, so I was wondering if there's still a reason why we should not start a scan without navigating in the browser to a particular domain?

Cosmin

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[psiinon]

Er, I think it started off like that just because it was the easiest way to make it work ;)

I think allowing both the Spider and Active Scanner to run on an 'unknown' URL would be a really useful enhancement.

Cheers,

Simon

[Cosmin Stefan-Dobrin]

I've added Issue 522 and I'll try to look at it soon.

Cosmin

[psiinon]

Great - thanks!