Errors when running run_session_setup.py script

[Jay S]

I downloaded the scripts from https://github.com/zaproxy/community-scripts/archive/master.zip

and then followed instructions on the main script page here https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration

I want to run a scan on my simple website (no java scripts, all static content, no authentication) but am running into some issues. 

I am doing this on windows 2012 server. I have installed all pre-requisites/requirements (ZAP 2.6) and am using Python 3.6.

 

I launched the zap daemon as "zap -daemon -port 8080 -config api.disablekey=true"  

Confirmed that zap is active and is capturing traffic on above port fine. 

I then browsed, from within browser, to my target website. It loaded fine and I accessed a few other pages on the website. 

Then ran "...\api\sdlc-integration\run_session_setup.py" as below. 

python run_session_setup.py -t http://my-target-website/ -d 

It seems to run ok but in the zap.log it generates these errors (also attached is the complete zap.log file).  

2017-07-03 14:43:10,401 [ZAP-ProxyThread-14] WARN  API - ApiException while handling API request:

Missing Parameter (missing_parameter) : ids

at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)

at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2017-07-03 14:43:11,417 [ZAP-ProxyThread-15] WARN  API - ApiException while handling API request:

Missing Parameter (missing_parameter) : ids

at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)

at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Pl also find the output produced by the run_session_setup script on command prompt (run_session_setup_output.log). 

Do I need to be using Mozilla firefox browser only? I am using IE and ZAP seems to capture/see the traffic ok. 

What may be causing the above errors? Any help appreciated. 

Thanks,

Jay

[thc...@gmail.com]

Hi.

Those warnings happen when the configuration file doesn't ignore any
rule/scanner, there's nothing to worry about those.

I'll change the script to not attempt to ignore/disable the scanners if
none ignored...

Best regards.

On 03/07/17 16:16, Jay S wrote:
>
>
>
> I downloaded the scripts from
> https://github.com/zaproxy/community-scripts/archive/master.zip
>
> and then followed instructions on the main script page here
> https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration
>
>
> I want to run a scan on my simple website (no java scripts, all static
> content, no authentication) but am running into some issues.
> I am doing this on windows 2012 server. I have installed all
> pre-requisites/requirements (ZAP 2.6) and am using Python 3.6.
>
> I launched the zap daemon as "zap -daemon -port 8080 -config
> api.disablekey=true"
>
> Confirmed that zap is active and is capturing traffic on above port fine.
>
> I then browsed, from within browser, to my target website. It loaded fine
> and I accessed a few other pages on the website.
>
> Then ran "...\api\sdlc-integration\run_session_setup.py" as below.
>

> python run_session_setup.py -t http://my-target-website/ <http://localhost/>

[Jay S]

I got a response from thc202 indicating those errors were benign and could be ignored. Thanks. 

So I continued with running the scan script as: 

python run_scan.py 

Indeed the zap.log now shows the scan completed and I can see it trying different attacks, perhaps as part of the active scan. At least no errors. 

But where could I see the actual findings or alerts? They are not in the zap.log file or in the output of the above script that I captured in a file. Note that I did not specify the results to be posted to JIRA. I hope that is not mandatory to use JIRA get the results. 

I do see this one error in the scan script output which I am assuming is because I did not specify any argument to the scan script and so can be ignored?

Traceback (most recent call last):

  File "run_scan.py", line 6, in <module>

    scan.main(sys.argv[1:])

  File "C:\owasp_zap\community-scripts-master\api\sdlc-integration\core\scan_module\scan.py", line 325, in main

    status_code, report_string = report_results(zap, config_dict)

  File "C:\owasp_zap\community-scripts-master\api\sdlc-integration\core\scan_module\scan.py", line 207, in report_results

    if (not alert_dict.has_key(plugin_id)):

AttributeError: 'dict' object has no attribute 'has_key'

thanks

Jay

[thc...@gmail.com]

The results should be in the output but it needs to be used with Python
2, the script(s) is not compatible with Python 3, yet. I missed the
earlier mention to Python 3, sorry.

An issue has been raised to address that. [1]


There are similar scripts that work with Python 3 but use Docker:
https://github.com/zaproxy/zaproxy/wiki/Docker

(It's missing the wiki page of zap-full-scan.py, but the usage should be
enough to get started, it's similar to baseline scan.)


[1] https://github.com/zaproxy/community-scripts/issues/61

Best regards.

>> <http://localhost/> -d