open owasp on ubuntu app

[simone zambonardi]

Hello, I wanted to ask for help.

I am using zap on windows but trying to log in from Ubuntu (windows app). When I start the program with sudo ./zap.sh this message comes out

890 [main] INFO  org.zaproxy.zap.GuiBootstrap - OWASP ZAP 2.11.1 started 12/08/2022, 16:58:31 with home /root/.ZAP/
893 [main] FATAL org.zaproxy.zap.GuiBootstrap - ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.

Do you think the problem is that I'm using the Ubuntu app on windows? how can i solve? thank you

[psiinon]

Yes :)

Solution: use ZAP on Windows.

Any reason why you dont want to do that?

Cheers,

Simon

[simone zambonardi]

I'm simulating on ubuntu because then the automation script I made will go to a linux server. So the problem is caused by the "simulator"?

[psiinon]

The problem is that Ubuntu on Windows doesnt appear to support a GUI out of the box.

However see https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps (I've not tried this;)

But ... if you are automating ZAP then why do you need the GUI?

You can run ZAP with the "-daemon" flag to run it without the GUI.

Or you can use the Zap Automation Framework(AF): https://www.zaproxy.org/docs/automate/automation-framework/ - an AF plan is yaml and will work the same on Windows as Linux.

Cheers,

Simon

[simone zambonardi]

I noticed that if I don't open the program (graphically) the script doesn't work. It seems he doesn't recognize the apikey. Is there any way to disable it? Thanks for your help :)

[psiinon]

We have a FAQ for that :) https://www.zaproxy.org/faq/why-is-an-api-key-required-by-default/

ZAP is designed to automate - you do not have to use the GUI if you dont want to.

[simone zambonardi]

When I launch my script. Owasp is opened on port 8080 (without activating the graphics) the problem is that it gives me this error. do you know what it can be?

954746 [ZAP-ProxyThread-6] WARN  org.zaproxy.zap.extension.api.API - API key incorrect or not supplied: (apikey code) in request from 127.0.0.1
Traceback (most recent call last): ..... etc

If, on the other hand, I start the .exe file, it doesn't give any problems

[psiinon]

See the FAQ I sent: https://www.zaproxy.org/faq/why-is-an-api-key-required-by-default/

[simone zambonardi]

Thank you very much for your help. What I don't understand though is why if I open the OWASP GUI the script in python works. It runs the scans with respective reports. If I use the -daemon command instead, it does not work.

[simone zambonardi]

Last night I tried experimenting again. The problem is when I start a scan function or whatever. If I keep owasp in "demon" mode this warning comes up even though the api key is correct. The script is done in python and I am using the ubuntu app on windows

13462 [ZAP-ProxyThread-3] WARN  org.zaproxy.zap.extension.api.API - API key incorrect or not supplied: **code apikey **  in request from 127.0.0.1

The problem does not persist if the owasp GUI is opened.

[psiinon]

Have you looked at the FAQ I've mentioned above a couple of times?

Have you tried disabling the API key as mentioned in the FAQ?

If so can you send us the command you are using to launch ZAP?