Issue when running zap in docker container on machine behind corporate proxy

[patrick roos]

Dear zap users,

I am looking to use zap as a tool within our CI/CD pipeline. The machine where the pipeline runs is a linux CentOS machine behind a corporate proxy.

I am trying to do the following steps:

1. Spin up a container using the owasp/zap2docker-stable image
2. Start the zap-baseline.py for a baseline scan

I am using the following command:

docker run --rm -it owasp/zap2docker-stable zap-baseline.py -t https://my-site

I am now seeing the following message:

Failed to check for updates using: https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.10.xml

So this means no internet connection present within the container. The next test was to jump in the container and see if indeed there is no internet connection. I first looked at the environment variables and see HTTP_PROXY and HTTPS_PROXY is present and set with the correct values. After I ran a curl check using the following command: curl https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.10.xml, and I see the XML as a response. So now I can conclude there is internet connection within the running container.

My next conclusion is that zap needs to be configured so it will start using the http proxy.

Next try was to start zap with webswing using the following command:

docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh

After starting zap in the browser, I filled in the attacking site URL (which is b.t.w. my own site), and pressed the attack button. A message is shown saying: Failed to attack the URL: 'my-site'. I was expecting this message. After I go to tools -> options -> connection -> Use outgoing proxy server. After filling in the correct URL and port, and retry attacking the site, it is now working. So from the UI it is possible to configure zap to use the proxy.

But my question how is how to configure to use the outgoing proxy, when starting the baseline pyton script (zap-baseline.py). In the documentation (https://www.zaproxy.org/docs/docker/baseline-scan/) I see there is a -z "-config ..." option. But I simply can't find any info on this topic.

Can you please help me out on this on.

Kind regards,

Patrick

[Simon Bennetts]

Hi Patrick,

We have a FAQ for that :)

https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

Cheers,

Simon

[patrick roos]

Hi Simon,

Think you for the quick response. I was not aware of this faq ;-)

Looking into the FAQ I have some questions I will sum up the steps for better understanding:

Step 1:

Start ZAP with a clean directory, e.g. ./zap.sh -dir test1

I executed the command as described and see that a default configuration file has been created within /zap/test1/config.xml

Step 2:

Close ZAP

I don't have to do anything for this, ZAP has stopped. This is because of the following message: ZAP GUI is not supported on a headless environment

Step 3:

Start ZAP with another clean directory, e.g. ./zap.sh -dir test2

Executed command as described in step 3

Step 4:

Set the option you want to know the key of

This step is not clear for me. How do I set the option I want to know the key for?

Step5:

Close ZAP

Same in step 1 and 2, ZAP is closed because of failure

Step 6:

Diff the 2 config files: diff test1/config.xml test2/config.xml

After executing this command no result

Can you give some more information on this topic. For the record, I am new to ZAP, so have non to little experience in the context

Kind regards,

Patrick

Op woensdag 16 juni 2021 om 10:20:42 UTC+2 schreef psi...@gmail.com:

[Simon Bennetts]

Hi Patrick,

Those instructions will not work if you cannot run the ZAP desktop.

Can you run ZAP locally?

Alternatively:

• Configure ZAP via web swing as you did before
• Start a bash shell on the same docker image
• Find the ZAP config.xml file that was changed
• Look at the file and fine the values you put in via webswing
• Convert those XML paths to the dot notation

Basically ZAP uses an XML file for all of its configs.

This was intended to be internal and so is not really documented.

But in order to set ZAP config valus via the command line you need to find the relevant values in the config file and convert their positions into a dot notation.

Does that make any more sense?

Cheers,

Simon

[patrick roos]

Hi Simon,

Based on your help, I found the solution.

What I did.

• Spin up docker container with webswing using the following command: docker run -u zap -p 8080:8080 -p 8090:8090 -d --name zap --hostname zap owasp/zap2docker-stable zap-webswing.sh
• Open webbrowser en navigated to http://localhost:8080/zap
• Open options -> connections and filled in proxy settings
• Tested from webswing (UI) if testable attacking site can be reached. This was the case
• Jumped into the docker container using the following command: docker exec -it zap sh
• Searched for the config.xml file. This took me a while, but the correct one was located at: /home/zap/.ZAP/config.xml
• Searched if proxy settings was present in config.xml. This was indeed the case
• Translated it to dot notation

So my final docker run command from where proxy settings can be provided is the following:

docker run --rm -it -v $(pwd):/zap/wrk/:rw owasp/zap2docker-stable zap-baseline.py -t https://test-site -g gen.conf -r testreport.html -z "-config connection.proxyChain.enabled=true -config connection.proxyChain.hostName=<proxy_host> -config connection.proxyChain.port=3128"

Hopefully this will be some help, when someone else  encounter the same situation.

Simon, thank you for your help.

Kind regards,

Patrick

Op woensdag 16 juni 2021 om 10:58:53 UTC+2 schreef psi...@gmail.com:

[Simon Bennetts]

Good to hear its working and thanks for the details of your working configuration!