Can't build zaproxy/zap-extension files on Windows 11

[Aleš Répáš]

Hello,

I am trying to create a module/extension that can detect CSRF vulnerability on a website similiar to xsrfprobe program.

I've been trying to build ZAP from src but I can't see why gradlew.bat doesn't work. I have downloaded JDK 11 from the link and added it to my PATH variable, yet I still keep getting the following compilation error.

> Task :buildSrc:compileKotlin FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':buildSrc:compileKotlin'.
> Cannot fingerprint input file property 'source': java.io.IOException: Cannot snapshot C:\Users\...\CSRFModule\zaproxy\buildSrc\src\main\kotlin\org\zaproxy\zap\distributions.gradle.kts: not a regular file

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 4s
6 actionable tasks: 1 executed, 5 up-to-date

Thanks,

Aleš Répáš

[psiinon]

Hiya Aleš,

Do you have the zaproxy repo checked out (and up to date) at the same level as zap-extensions?

If not then you'll need to do that.

Cheers,

Simon

[Aleš Répáš]

It seems I have responded directly to you so I am writing it once again:

I have followed this guide: https://www.zaproxy.org/docs/developer/quick-start-build/

Cloned and deleted the repositories multiple times. Both zaproxy and zap-extensions sit in my CSRFModule folder.

I don't know if I'm supposed to run the gradlew.bat in powershell or cmd. Both seem to report the same failure with Kotlin compilation. I have also downloaded JDK 11 from the link in the guide. I am really suspicious it has something to do with my environmental variables or maybe I'm missing Kotlin or something.. I do not really have experience with gradlew or kotlin.

What are your thoughts of the CSRF module? I know ZAP detects anti-csrf token already. However I was thinking of using payloads and modifying request header data to test for more vulnerabilities.

My JAVA_HOME variable is set to:

C:\Program Files\Eclipse Adoptium\jdk-11.0.15.10-hotspot

My PATH variable:

C:\Program Files\Eclipse Adoptium\jdk-11.0.15.10-hotspot\bin;

C:\Program Files\Common Files\Oracle\Java\javapath;

C:\Program Files\Eclipse Adoptium\jre-17.0.2.8-hotspot\bin;

C:\Program Files\Eclipse Adoptium\jre-11.0.14.9-hotspot\bin;

C:\Program Files (x86)\Eclipse Adoptium\jre-8.0.312.7-hotspot\bin;

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;

C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;

C:\Windows;

C:\Windows\System32\Wbem;

C:\Windows\System32\WindowsPowerShell\v1.0\;

C:\Windows\System32\OpenSSH\;

C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;

C:\Program Files\dotnet\;

C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;

C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;

C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;

C:\Program Files\Git\cmd;

C:\Program Files (x86)\Wolfram Research\WolframScript\;

C:\WINDOWS\system32;C:\WINDOWS;

C:\WINDOWS\System32\Wbem;

C:\WINDOWS\System32\WindowsPowerShell\v1.0\;

C:\WINDOWS\System32\OpenSSH\;

C:\Program Files (x86)\dotnet\;

C:\Users\ales.repas\AppData\Local\Microsoft\WindowsApps;

C:\Users\ales.repas\.dotnet\tools;

C:\Users\ales.repas\AppData\Local\Programs\Microsoft VS Code\bin;

C:\Program Files\JetBrains\CLion 2021.2.3\bin;;

C:\texlive\2021\bin\win32

Dne úterý 26. dubna 2022 v 14:36:05 UTC+2 uživatel psiinon napsal:

[psiinon]

OK, we'll have to look into the Windows issue.

Re detecting CSRF - there are 2 rules that do this, have you looked at both of them?

• Absence of Anti-CSRF Tokens (passive)
• Anti-CSRF Tokens Check (active)
  

I think the active rule may well already do what you are planning, but double check - we're always very happy to get improvements or completely new rules if there offer something different.

Cheers,

Simon

[Aleš Répáš]

CSRF - I understand that ZAP already detects anti-CSRF token so I am thinking on expanding the more basic part of CSRF - testing POST/GET requests with payloads and tampering with their headers.

Windows issue - so in order to get the src running you recommend me to get it running on a linux platform?

Dne úterý 26. dubna 2022 v 15:01:19 UTC+2 uživatel psiinon napsal:

[kingthorin+owaspzap]

I do tons of ZAP development on Win 10. I'll see if I can get a Win 11 VM going.

[Aleš Répáš]

Are you getting no problems with the gradlew.bat on Windows 10? Could it be environmental variables issue? Can you look it up please? I have created an Ubuntu VM to get it going.

Dne úterý 26. dubna 2022 v 19:42:40 UTC+2 uživatel kingthorin+owaspzap napsal:

[kingthorin+owaspzap]

I use gradle all the time without issue.

[Aleš Répáš]

I have hooked up a Ubuntu VM and there it works perfectly. Probably a W11 issue then. I'm now off to develop my CSRF module.

Dne úterý 26. dubna 2022 v 20:58:02 UTC+2 uživatel kingthorin+owaspzap napsal:

[kingthorin+owaspzap]

Thanks for letting us know.

[kingthorin+owaspzap]

Just to close the loop on this. I got a Win11 VM. Installed Java 11 Adoptium. Cloned the main zaproxy repo and gradlew.bat works just fine.

[kingthorin+owaspzap]

C:\Users\User\Downloads\zaproxy>gradlew.bat spotlessApply
Downloading https://services.gradle.org/distributions/gradle-7.4.1-all.zip
...............10%...............20%...............30%...............40%...............50%................60%...............70%...............80%...............90%...............100%

Welcome to Gradle 7.4.1!

Here are the highlights of this release:
 - Aggregated test and JaCoCo reports
 - Marking additional test source directories as tests in IntelliJ
 - Support for Adoptium JDKs in Java toolchains

For more details see https://docs.gradle.org/7.4.1/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)

> Task :buildSrc:compileKotlin
'compileJava' task (current target is 11) and 'compileKotlin' task (current target is 1.8) jvm target compatibility should be set to the same Java version.
Daemon will be stopped at the end of the build after running out of JVM memory

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.4.1/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 5m 34s

26 actionable tasks: 26 executed

C:\Users\User\Downloads\zaproxy>gradlew.bat assemble

BUILD SUCCESSFUL in 2s
23 actionable tasks: 23 up-to-date

[Aleš Répáš]

Strange. I suppose it might have something to do with computer settings then (my computer is part of an AD domain).

Dne středa 27. dubna 2022 v 1:39:45 UTC+2 uživatel kingthorin+owaspzap napsal:

[thc...@gmail.com]

Try checkout the file again, that file should be a regular file.

Best regards.

>>> <https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/>.

>>>>>>>>>> - Absence of Anti-CSRF Tokens
>>>>>>>>>> <https://www.zaproxy.org/docs/alerts/10202/> (passive)
>>>>>>>>>> - Anti-CSRF Tokens Check
>>>>>>>>>> <https://www.zaproxy.org/docs/alerts/20012/> (active)

>>>>>>>>>>>>> *> Task :buildSrc:compileKotlin FAILEDFAILURE: Build failed
>>>>>>>>>>>>> with an exception.* What went wrong:Execution failed for task

>>>>>>>>>>>>> ':buildSrc:compileKotlin'.> Cannot fingerprint input file property
>>>>>>>>>>>>> 'source': java.io.IOException: Cannot snapshot
>>>>>>>>>>>>> C:\Users\...\CSRFModule\zaproxy\buildSrc\src\main\kotlin\org\zaproxy\zap\distributions.gradle.kts:
>>>>>>>>>>>>> not a regular file*
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>

>>>>>>>>>>>>> ** Try:> Run with --stacktrace option to get the stack trace.>

>>>>>>>>>>>>> Run with --info or --debug option to get more log output.> Run with --scan

>>>>>>>>>>>>> to get full insights.* Get more help at https://help.gradle.org
>>>>>>>>>>>>> <https://help.gradle.org>BUILD FAILED in 4s6 actionable tasks: 1 executed,
>>>>>>>>>>>>> 5 up-to-date*
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Aleš Répáš
>>>>>>>>>>>>>
>>>>>>>>>>>>
>

[Aleš Répáš]

RE: CSRF

Hello again. I'm working on the CSRF module. What I want to do is check whether all requests on a site contain origin/referer header data and then push it into alerts. Next, I'd like to send some payloads in the requests to see if they could theoretically work. Can I get some pointers whether I can somehow pickup scanned websites (requests) in my module/addon and push data into alerts? Thanks.

Dne středa 27. dubna 2022 v 11:43:11 UTC+2 uživatel thc202 napsal:

[kingthorin+owaspzap]

Have a look at the existing scan rules.

[Aleš Répáš]

Hello again. I'm wondering if there is a function that can tell whether two sites are the same. I haven't found one. My idea is to be true in case of "https://my.website.com" and "https://website.com/dog" but false in case of "https://my.website.com" and "https://my.space.com/"

Dne pondělí 2. května 2022 v 13:33:42 UTC+2 uživatel kingthorin+owaspzap napsal:

[psiinon]

That would would be better asked in a new thread, this one is going way off the original topic ;)