ZAP Automation Framework Errors

[Sai Theja Pamarty]

Hi,

I'm using the default SOAP plan available in the automation framework in ZAP GUI.

The plan I'm using is,

---

env:

  contexts:

  - name: "Default Context"

    urls:

    - "http://www.emaple.com/ws/vs?WSDL"

    includePaths: []

    excludePaths: []

    authentication:

      parameters: {}

      verification:

        method: "response"

        pollFrequency: 60

        pollUnits: "requests"

    sessionManagement:

      method: "cookie"

      parameters: {}

    technology:

      exclude: []

  parameters:

    failOnError: true

    failOnWarning: false

    progressToStdout: true

  vars: {}

jobs:

- parameters:

    scanOnlyInScope: true

    enableTags: false

  rules: []

  name: "passiveScan-config"

  type: "passiveScan-config"

- parameters:

    wsdlFile: ""

    wsdlUrl: " http://www.emaple.com/ws/vs?WSDL"

  name: "soap"

  type: "soap"

- parameters:

    context: "Default Context"

    user: ""

    url: " http://www.emaple.com/ws/vs?WSDL"

    maxDuration: 0

    maxDepth: 0

    maxChildren: 0

  name: "spider"

  type: "spider"

  tests:

  - onFail: "INFO"

    statistic: "automation.spider.urls.added"

    site: ""

    operator: ">="

    value: 100

    name: "At least 100 URLs found"

    type: "stats"

- parameters: {}

  name: "passiveScan-wait"

  type: "passiveScan-wait"

- parameters:

    context: "Default Context"

    user: ""

    policy: ""

    maxRuleDurationInMins: 0

    maxScanDurationInMins: 0

  policyDefinition:

    defaultStrength: "medium"

    defaultThreshold: "medium"

    rules: []

  name: "activeScan"

  type: "activeScan"

- parameters:

    template: "risk-confidence-html"

    theme: "original"

    reportDir: "C:\\Users\\p\\Desktop\\zap"

    reportFile: ""

    reportTitle: "ZAP Scanning Report"

    reportDescription: ""

    displayReport: true

  risks:

  - "info"

  - "low"

  - "medium"

  - "high"

  confidences:

  - "falsepositive"

  - "low"

  - "medium"

  - "high"

  - "confirmed"

  sections:

  - "siteRiskCounts"

  - "responseBody"

  - "appendix"

  - "alertTypes"

  - "responseHeader"

  - "alertTypeCounts"

  - "riskConfidenceCounts"

  - "alerts"

  - "aboutThisReport"

  - "contents"

  - "requestBody"

  - "reportDescription"

  - "reportParameters"

  - "requestHeader"

  - "summaries"

  name: "report"

  type: "report"

I'm getting the following errors, 

 [main ] ERROR WSDLCustomParser - Unable to communicate with SOAP server. Server may be not available.
javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

for TLS, is there any way to allow this through the framework? other than going to java.security file and changing those into legacy algorithms.

[ZAP-telemetry-start] ERROR ExtensionCallHome - Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out

is there any way to define proxy settings in the zap framework?

for the default full-scan framework, I'm getting the following error,

[ZAP-ActiveScanner-0] WARN  DomXssScanRule - Skipping scanner, failed to start browser: Cannot find firefox binary in PATH. Make sure firefox is installed. OS appears to be: LINUX
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '', ip: '', os.name: 'Linux', os.arch: 'amd64', os.version: '3.10.0-1160.81.1.0.1.el7.x86_64', java.version: '11.0.17'
Driver info: driver.version: FirefoxDriver
[ZAP-Scanner-0] INFO  HostProcess - skipped plugin [failed to start or connect to the browser] http://10.196.150.192 | DomXssScanRule in 0.046s with 0 message(s) sent and 0 alert(s) raised.

I'm using Linux through the cmd line and there's no graphical interface available. what should I do about this?

Thank you in advance.

Regards

Sai Theja

[Sai Theja Pamarty]

FYI, in the above automation framework. I've taken it from another system GUI and I'm running that framework using the command line on Linux (which doesn't have any GUI and is a remote server)

[Simon Bennetts]

Yes, you can define the proxy and any other ZAP settings via the "-config" command line options: https://www.zaproxy.org/docs/desktop/cmdline/

To find out the right keys to use see https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

Do let us know if there are ones you need to set - the plan is to support all of the common ones in the YAML.

The proxy settings are on that list :)

Re the SSL issue have a play with the network settings https://www.zaproxy.org/docs/desktop/addons/network/options/connection/

If you can reproduce the problem in the ZAP desktop somewhere then this will make your life easier ;)

Re browser problems see https://www.zaproxy.org/faq/how-can-i-fix-browser-was-not-found/

Cheers,

Simon

[psiinon]

By default ZAP will listen on localhost:8080 but you can change the host and port via the commandline: https://www.zaproxy.org/docs/desktop/cmdline/

That works however you run ZAP, via the desktop, daemon mode and Automation Framework.

Cheers,

Simon

On Thu, Mar 23, 2023 at 7:52 AM Sai Theja Pamarty <p.s.t...@gmail.com> wrote:

can you give me an example either in the automation framework or in cmd line. On how to give proxy as input?

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/22187170-8586-4368-8613-d3b1bfc2a443n%40googlegroups.com.

--

OWASP ZAP Project leader