error api key when star script

115 views
Skip to first unread message

fede fedez

unread,
Aug 24, 2022, 3:46:55 AMAug 24
to OWASP ZAP Developer Group
From ubuntu I ran the command 
./zap -daemon -config api.key="codeapi"
 when I start my script this error comes out

25458 [ZAP-ProxyThread-1] WARN  org.zaproxy.zap.extension.api.API - API key incorrect or not supplied:  in request from 127.0.0.1


How can I solve?

psiinon

unread,
Aug 24, 2022, 3:48:42 AMAug 24
to OWASP ZAP Developer Group
Supply the correct key when calling the ZAP API.
How are you invoking the API?
Directly, using one of the official ZAP client APIs or ??

fede fedez

unread,
Aug 24, 2022, 4:10:12 AMAug 24
to OWASP ZAP Developer Group
I am using python. This is the code with which I call the key. It has always worked but on the server it seems not to work

apikey = 'apikeycode"
zap = ZAPv2(apikey = apikey)

psiinon

unread,
Aug 24, 2022, 4:16:02 AMAug 24
to OWASP ZAP Developer Group
You said that when you start ZAP you use: ./zap -daemon -config api.key="codeapi"
You are then using: apikey = 'apikeycode"

The key you've set in ZAP, "codeapi" does not equal the one you are setting in the API: "apikeycode".
They need to be the same :)

fede fedez

unread,
Aug 24, 2022, 4:18:51 AMAug 24
to OWASP ZAP Developer Group
the apicode code I wrote is generic to make it clear that I put them inside the code

psiinon

unread,
Aug 24, 2022, 4:24:27 AMAug 24
to OWASP ZAP Developer Group
I was just pointing out an obvious problem in the info you sent to us.
ZAP is reporting that the key specified by the API call if not the same as the key defined in ZAP.
You need to check your code to make sure you're setting things as needed.
If you'd like us to help then you'll need to send us exactly what you are specifying - details matter in this case.
Message has been deleted
Message has been deleted

fede fedez

unread,
Aug 24, 2022, 6:27:36 AMAug 24
to OWASP ZAP Developer Group
Thanks for the reply :)
These are the steps I took:
From the terminal I launched the program to be able to configure it with this command:

./zap.sh -daemon -config api.key=change-me-9203935709 -host 127.0.0.1 -port 8080


I started my script written in python and it returns this error:

10031 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on localhost:8080

24857 [ZAP-ProxyThread-1] WARN  org.zaproxy.zap.extension.api.API - API key incorrect or not supplied: change-me-9203935709 in request from 127.0.0.1


I tried with the "curl" command to check if there is communication with port 8080 and indeed there is.


I also ask if there is a way to verify that the apikey previously entered in the terminal configuration is correct.

Thank you

fede fedez

unread,
Aug 24, 2022, 7:34:35 AMAug 24
to OWASP ZAP Developer Group
it would seem that in daemon mode the API key configuration does not work ... are there any other solutions?
thanks

psiinon

unread,
Aug 24, 2022, 8:02:30 AMAug 24
to OWASP ZAP Developer Group
That would be a surprise, and if so would be a significant problem.
Can you confirm which version of ZAP you are using?
I'll look into it now...

psiinon

unread,
Aug 24, 2022, 8:17:52 AMAug 24
to OWASP ZAP Developer Group
Its working fine for me in the dev version of ZAP.
If you let me know which version of ZAP you are using then I can double check that one as well.
I believe a lot of ZAP users use the API key in daemon mode so right now I think the most likely explanation is a problem on your side.

Cheers,

Simon

fede fedez

unread,
Aug 24, 2022, 8:21:31 AMAug 24
to OWASP ZAP Developer Group
I am using version 2.11.1 on Ubuntu but the problem persists on multiple computers.
Thanks

psiinon

unread,
Aug 24, 2022, 8:30:07 AMAug 24
to OWASP ZAP Developer Group
I've just tried 2.11.1 on my Mac and it works fine.
The fact that you are seeing the problem on multiple computers implies to me that you are making the same mistake each time.

I started ZAP using:
  • /Applications/OWASP\ ZAP.app/Contents/Java/zap.sh -daemon -dir /fullpath/to/test/dir  -config api.key="sbsbtest123" -port 8090
If you are using Linux then change the path to zap.sh
Change "/fullpath/to/test/dir" to a valid local directory - this will ensure that ZAP doesnt pick up any other configs that might be causing you problems.
Then run this python script:

from zapv2 import ZAPv2
from pprint import pprint
apikey = 'sbsbtest123'
zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
pprint (zap.core.alerts())

What do you get when you run that?

Cheers,

Simon

fede fedez

unread,
Aug 24, 2022, 9:08:25 AMAug 24
to OWASP ZAP Developer Group
It still gives me problems.
I had to try on port 8080 but this is the error

9467 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on localhost:8080

24849 [ZAP-ProxyThread-1] WARN  org.zaproxy.zap.extension.api.API - API key incorrect or not supplied: sbsbtest123 in request from 127.0.0.1

Traceback (most recent call last):

  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen

    httplib_response = self._make_request(

  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 445, in _make_request

    six.raise_from(e, None)

  File "<string>", line 3, in raise_from

  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 440, in _make_request

    httplib_response = conn.getresponse()

  File "/usr/lib/python3.10/http/client.py", line 1374, in getresponse

    response.begin()

  File "/usr/lib/python3.10/http/client.py", line 318, in begin

    version, status, reason = self._read_status()

  File "/usr/lib/python3.10/http/client.py", line 287, in _read_status

    raise RemoteDisconnected("Remote end closed connection without"

http.client.RemoteDisconnected: Remote end closed connection without response


During handling of the above exception, another exception occurred:


Traceback (most recent call last):

  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send

    resp = conn.urlopen(

  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen

    retries = retries.increment(

  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment

    raise MaxRetryError(_pool, url, error or ResponseError(cause))

urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with url: http://zap/JSON/core/view/alerts/?apikey=sbsbtest123 (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))


During handling of the above exception, another exception occurred:


Traceback (most recent call last):

  File "/home/ubuntu/Owasp/main.py", line 33, in <module>

    print(core.alerts())       

  File "/home/ubuntu/.local/lib/python3.10/site-packages/zapv2/core.py", line 206, in alerts

    return six.next(six.itervalues(self.zap._request(self.zap.base + 'core/view/alerts/', params)))

  File "/home/ubuntu/.local/lib/python3.10/site-packages/zapv2/__init__.py", line 200, in _request

    data = self._request_api(url, get)

  File "/home/ubuntu/.local/lib/python3.10/site-packages/zapv2/__init__.py", line 180, in _request_api

    response = self.session.get(url, params=query, proxies=self.__proxies, verify=False)

  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 555, in get

    return self.request('GET', url, **kwargs)

  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request

    resp = self.send(prep, **send_kwargs)

  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send

    r = adapter.send(request, **kwargs)

  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 510, in send

    raise ProxyError(e, request=request)

requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with url: http://zap/JSON/core/view/alerts/?apikey=sbsbtest123 (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))

Thanks
Message has been deleted

fede fedez

unread,
Aug 24, 2022, 9:22:30 AMAug 24
to OWASP ZAP Developer Group
I looked in the config.xml file to be able to change the key but I can't find it. Where can I find it? Thank you

fede fedez

unread,
Aug 24, 2022, 10:34:51 AMAug 24
to OWASP ZAP Developer Group
even disabling api key doesn't work

psiinon

unread,
Aug 24, 2022, 11:36:15 AMAug 24
to OWASP ZAP Developer Group
OK, in that case theres some strange problem with your environment or with something that you are doing.
Disabling the API key definitely works - our integration tests do that everyday.
Can you check to see that their is not another ZAP instance running?
Have you tried using the "-dir" command as I suggested before - this will prevent ZAP from picking up other config options that you might have changed before.

fede fedez

unread,
Aug 24, 2022, 11:55:14 AMAug 24
to OWASP ZAP Developer Group
I don't quite understand the -dir command.
Inside the zaproxy directory I have created an empty folder. The command should look like this: -dir / zaproxy / newFolderName? right? Or am I doing something wrong?
Thanks

psiinon

unread,
Aug 24, 2022, 11:57:56 AMAug 24
to OWASP ZAP Developer Group
I recommend creating a directory somewhere under the user which you are using to run ZAP.
Then specify the full directory path on the ZAP command line eg something like: "-dir /home/myuser/test/dir"

fede fedez

unread,
Aug 24, 2022, 12:00:47 PMAug 24
to OWASP ZAP Developer Group
when I run the program I write  /usr/local/zaproxy and from there I launch zap.sh (on ubuntu). Is it correct to open it like this?

psiinon

unread,
Aug 24, 2022, 12:03:22 PMAug 24
to OWASP ZAP Developer Group
I cant tell from that statement :)
Can you explain _exactly_ what you are doing?

fede fedez

unread,
Aug 24, 2022, 12:26:00 PMAug 24
to OWASP ZAP Developer Group

The strange thing is that in the .xml file the API key is correct

<version>20011001</version>
<api>
<key>12345</key>
</api>
<connection>
<proxyChain>
<enabled>false</enabled>
<hostName/>
<port>8080</port>
<realm/>
<userName/>
<prompt>false</prompt>
<password/>
</proxyChain>

I tried to change it to 12345 and it is correct in the config and also in my script

fede fedez

unread,
Aug 25, 2022, 1:58:09 AMAug 25
to OWASP ZAP Developer Group
If we change the -dir as you advised me, the config.xml file is correctly modified unlike the one in the ~ / .ZAP directory.
Once I have made the changes how can I make Owasp always point to the new path with the modified config.xml? Thank you

psiinon

unread,
Aug 25, 2022, 3:06:55 AMAug 25
to OWASP ZAP Developer Group
Changing the directory using the -dir flag was a test to help us narrow down what could be going wrong.
Does everything work correctly when you use the -dir option?
Ie can you now connect to ZAP via the python API using the password?
If so then we can move on to how to fix the problem without using that option.

Cheers,

Simon

fede fedez

unread,
Aug 25, 2022, 3:16:16 AMAug 25
to OWASP ZAP Developer Group
If I use the command -dir zap it generates the new configuration file in the folder I specified. If I turn zap off and reactivate it (even via script) it will always point to the ~ / .ZAP directory

Thanks

psiinon

unread,
Aug 25, 2022, 3:18:09 AMAug 25
to OWASP ZAP Developer Group
That wasnt the question I asked.

Does everything work correctly when you use the -dir option?
Ie can you now connect to ZAP via the python API using the password?

Theres no point in progressing with anything else until we know the answer to those questions.

fede fedez

unread,
Aug 25, 2022, 3:37:22 AMAug 25
to OWASP ZAP Developer Group
No, I still can't connect to the new -dir. I just noticed that if I change the API key or port, on the config.xml of the new -dir the file is modified but owasp always seems to point to the config.xml in the ~ / .ZAP directory

psiinon

unread,
Aug 25, 2022, 3:51:34 AMAug 25
to OWASP ZAP Developer Group
For this test you need to specify the "-dir" command when you start ZAP.
If it still doesnt work please let us know the exact command you are using to start ZAP.

fede fedez

unread,
Aug 25, 2022, 5:45:29 AMAug 25
to OWASP ZAP Developer Group
I am trying a command from this command from but it tells me that the command is not available in daemon mode
this is the command:

proc = subprocess.Popen(["./zap.sh","-dir <../../../home/ubuntu/Owasp/testConfig>","-daemon"])

this is the error:
10318 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - Unsupported option '-dir ../../../home/ubuntu/Owasp/testConfig'.;

psiinon

unread,
Aug 25, 2022, 5:49:42 AMAug 25
to OWASP ZAP Developer Group
Please stop trying to do everything at once and lets solve these problems one at a time.
Start ZAP from the command line with the "-dir" option as I said before.
Try to connect to it via the pythion API using the key you specified when you started ZAP.
Tell us if it works, or if it fails tell us _exactly_ what you did and everything that was shown on the screen.
Do not try to do anything else at this stage.

If you cant do this then I'm afraid I cant help you.

fede fedez

unread,
Aug 25, 2022, 6:23:33 AMAug 25
to OWASP ZAP Developer Group
Hello I'll explain in detail what I did.
1) I went into the usr / local / zaproxy directory and started owasp with the command

                       zap.sh -daemon -dir ../../../home/ubuntu/Owasp/qw -config api.key="zaqwsx"


2) I closed Owasp and checked the config.xml file (in the modified directory) that the API key had changed and in fact it has changed.

<version>20011001</version>
<api>
<key>zaqwsx</key>
</api>
<connection>
<proxyChain>
<enabled>false</enabled>
<hostName/>
<port>8080</port>
<realm/>
<userName/>
<prompt>false</prompt>
<password/>

3) I went into the directory where I keep my script and ran it (making sure I changed the apikey code)

                                  proc = subprocess.Popen(["./zap.sh","-daemon"])
                                  apikey ='zaqwsx'
                                  zap = ZAPv2(apikey = apikey, proxies={'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'})

Doing so the problem persists because the file that I am going to call from the script points to the config present in the default directory () and not to the new one that I have modified.

I hope you can help me.
I thank you

psiinon

unread,
Aug 25, 2022, 6:30:47 AMAug 25
to OWASP ZAP Developer Group
OK. I'll try one more time. And this is the last time.

Run ZAP from the command line with the "-dir" flag as I suggested.
Leave it running, do not start try to start ZAP using your script.
Try just connecting to ZAP via a python script without starting ZAP.

I know this is not what you want to do in the end.
This is a test to make sure we have fixed the initial problem you reported.

If you cant follow these instructions then I'm afraid I will not be able to help any more.

fede fedez

unread,
Aug 25, 2022, 8:16:21 AMAug 25
to OWASP ZAP Developer Group
Thanks for the help but it didn't work. I tried uninstalling and reinstalling Owasp but without success. The only thing I noticed is that the command -config api.key works on first boot into daemon then it doesn't work anymore.
I tried opening zap.sh from the path opt / zaproxy and from usr / local / zaproxy

fede fedez

unread,
Aug 25, 2022, 8:57:51 AMAug 25
to OWASP ZAP Developer Group
alternatively when you need to make changes you have to delete the config.xml file
Message has been deleted

psiinon

unread,
Aug 26, 2022, 3:20:20 AMAug 26
to OWASP ZAP Developer Group
So, you started ZAP as I recommended with the "-dir" option, tried connecting with a python script and that failed to connect?
Please share the exact command you used to start ZAP and the exact python script you tried.

Details are important. One wrong character could make all of the difference.

larry town

unread,
Aug 26, 2022, 4:27:32 AMAug 26
to OWASP ZAP Developer Group
Hi, I have had the same problem previously. I solved it by deleting the config.xml and running zap again
Reply all
Reply to author
Forward
0 new messages