ZAP Scan Not Sending Custom Header After Recent Update
Hari Manne
I'm using a custom header during a ZAP scan to prevent the requests from being logged by our backend log collection application. However, after a recent ZAP update, we noticed that the header is no longer being sent to the application during passive/active scans.
Could someone confirm if there were any changes in the latest version that might have caused this?
Hari Manne
+++++++++++++++++++++++++++++
1699778 [ZAP-IO-Server-1-10] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/script/action/load/] from [172.17.0.1]:
org.zaproxy.zap.extension.api.ApiException: DOES_NOT_EXIST (scriptEngine)
at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:324) ~[zap-2.15.0.jar:2.15.0]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:538) ~[zap-2.15.0.jar:2.15.0]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleApiRequest(ZapApiHandler.java:111) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleRequest(ZapApiHandler.java:85) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleMessage(ZapApiHandler.java:70) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:67) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.19.0.zap:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.security.InvalidParameterException: No such engine: jython
at org.zaproxy.zap.extension.script.ExtensionScript.getEngineWrapper(ExtensionScript.java:475) ~[zap-2.15.0.jar:2.15.0]
at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:322) ~[zap-2.15.0.jar:2.15.0]
... 13 more
1699785 [ZAP-IO-Server-1-10] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/script/action/enable/] from [172.17.0.1]:
org.zaproxy.zap.extension.api.ApiException: DOES_NOT_EXIST (scriptName)
at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:288) ~[zap-2.15.0.jar:2.15.0]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:538) ~[zap-2.15.0.jar:2.15.0]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleApiRequest(ZapApiHandler.java:111) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleRequest(ZapApiHandler.java:85) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleMessage(ZapApiHandler.java:70) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:67) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.19.0.zap:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
1699792 [ZAP-SpiderInitThread-3] INFO org.zaproxy.addon.spider.SpiderThread - Starting spidering scan on Context: 3e378c55-070c-45d2-95f5-4ffa9844a331 at 2025-03-06T10:53:03.902+0000
+++++++++++++++++++++++++++++
kingthorin+zap
“DOES_NOT_EXIST (scriptEngine)”
thc202
Ensure you install the jython add-on.
Best regards.
Hari Manne
+++++++++++++++++++++++
#!/bin/bash
cd ~/zap/zap-extensions
./gradlew tasks
./gradlew copyMandatoryAddOns
./gradlew copyZapAddOn
#./gradlew addOns:pscanrules:copyZapAddOn
cd ~/zap/zaproxy
./gradlew tasks
./gradlew copyWeeklyAddOns
./gradlew run --args="-daemon -config api.key=secret -config database.compact=true"
+++++++++++++++++++++++
We have our wrapper scripts in ~/api-scanner/app/*
I think, this already installs jython addon right?
Hari Manne
I have one more query, We plan to migrate zap on vm to container. As you know we have dependency with our wrapper which is used to parse our headers script and scan script zap-api-scan.py.
Could you let us know how to run zap with docker with my wrapper?
