DomXssScanRule - geckodriver: cannot execute binary file

[enterscanman]

Thanks for having such a helpful and friendly user group!

 Environment:
I have zap on an ec2 instance(Amazon Linux 2.), running in daemon mode using:
"/usr/local/bin/ZAP_2.12.0/zap.sh -daemon -config api.disablekey=true"

 

Examining the zap startup logs I noticed the following:
2023-01-11 15:52:05,341 [ZAP-ActiveScanner-0] WARN  DomXssScanRule - Skipping scanner, failed to start browser: Cannot find firefox binary in PATH. Make sure firefox is installed. OS appears to be: LINUX
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '<host>', ip: '<ip>', os.name: 'Linux', os.arch: 'aarch64', os.version: '5.10.149-133.644.amzn2.aarch64', java.version: '17.0.5'
Driver info: driver.version: FirefoxDriver
2023-01-11 15:52:05,342 [ZAP-ActiveScanner-1] WARN  DomXssScanRule - Skipping scanner, failed to start browser: Cannot find firefox binary in PATH. Make sure firefox is installed. OS appears to be: LINUX
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '<host>', ip: '<ip>', os.name: 'Linux', os.arch: 'aarch64', os.version: '5.10.149-133.644.amzn2.aarch64', java.version: '17.0.5'
Driver info: driver.version: FirefoxDriver

So I install firefox with the following command:
sudo amazon-linux-extras install firefox

The command 'firefox' produces the following error:
Error: no DISPLAY environment variable specified

This makes sense because I don't have a gui configured but I try a scan anyway hoping that maybe it just works in a headless state and I get the following error:
Jan 25 21:22:23 zap.sh[522]: 643241 [ZAP-Scanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://<target> | DomXssScanRule strength MEDIUM threshold MEDIUM
Jan 25 21:22:23 zap.sh[522]: /root/.ZAP/webdriver/linux/32/geckodriver: /root/.ZAP/webdriver/linux/32/geckodriver: cannot execute binary file
Jan 25 21:22:23 zap.sh[522]: /root/.ZAP/webdriver/linux/32/geckodriver: /root/.ZAP/webdriver/linux/32/geckodriver: cannot execute binary file
Jan 25 21:22:43 zap.sh[522]: 663630 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.domxss.DomXssScanRule - Skipping scanner, failed to start browser: The driver server has unexpectedly died!
Jan 25 21:22:43 zap.sh[522]: Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
Jan 25 21:22:43 zap.sh[522]: System info: host: '<host>', ip: '<ip>', os.name: 'Linux', os.arch: 'aarch64', os.version: '5.10.162-141.675.amzn2.aarch64', java.version: '17.0.6'
Jan 25 21:22:43 zap.sh[522]: Driver info: driver.version: FirefoxDriver
Jan 25 21:22:43 zap.sh[522]: 663631 [ZAP-ActiveScanner-0] WARN org.zaproxy.zap.extension.domxss.DomXssScanRule - Skipping scanner, failed to start browser: The driver server has unexpectedly died!
Jan 25 21:22:43 zap.sh[522]: Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
Jan 25 21:22:43 zap.sh[522]: System info: host: '<host>', ip: '<ip>', os.name: 'Linux', os.arch: 'aarch64', os.version: '5.10.162-141.675.amzn2.aarch64', java.version: '17.0.6'
Jan 25 21:22:43 zap.sh[522]: Driver info: driver.version: FirefoxDriver
Jan 25 21:22:43 zap.sh[522]: 663660 [ZAP-Scanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [failed to start or connect to the browser] <target> | DomXssScanRule in 20.419s with 0 message(s) sent and 0 alert(s) raised.

Am I missing some configuration? Has anyone had success with DomXssScanRule on Amazon Linux 2? Thanks in advance for any insight!

[thc...@gmail.com]

Hi.

The problem is most likely the architecture, you need to use a different
geckodriver binary.

Best regards.

[enterscanman]

Hmm interesting. 

At /root/.ZAP/webdriver/linux I have:

.
├── 32
│   └── geckodriver
└── 64
    ├── chromedriver
    └── geckodriver

Maybe I need to use the 64bit driver? Any idea how I configure zap to use 64 instead of 32 here?

[psiinon]

When did you try this?

Update ZAP and try again - we've just released a new version of the linux webdrivers with the 64bit version included.

It wasnt included before .. I'm surprised its in your .ZAP directory :/

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b157d7ef-5b83-4369-bb0b-c4f823f63793n%40googlegroups.com.

--

OWASP ZAP Project leader

[enterscanman]

Very interesting. I tried this yesterday so maybe that jives?

[enterscanman]

I'm using v2.12.0 via wget -nv https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz

On Thursday, January 26, 2023 at 11:08:37 AM UTC-5 psi...@gmail.com wrote:

[Simon Bennetts]

You need to update ZAP, eg using the "-addonupdate" commandline option.

Browsers change very frequently, and therefore so do webdrivers.

Updating ZAP will ensure that you have the very latest webdrivers.

Let us know how you get on.

Cheers,

Simon

[enterscanman]

Thanks! I'll give it a try today and report back. I'm currently running with the -silent flag to get past https://groups.google.com/g/zaproxy-users/c/VL7Jk8iAF6I/m/cxSfrTSSAQAJ which I imagine will conflict.

[thc...@gmail.com]

Use:
-silent -addoninstall webdriverlinux

Alternatively use the weekly release, which has the add-ons up-to-date.
https://www.zaproxy.org/download/#weekly

Best regards.

>>>>> <https://groups.google.com/d/msgid/zaproxy-users/b157d7ef-5b83-4369-bb0b-c4f823f63793n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.zaproxy.org/> Project leader
>>>>
>>>
>

[enterscanman]

Success! Firefox warnings gone. The only remaining error I'm getting is:

org.zaproxy.zap.extension.script.ExtensionScript - No default JavaScript/ECMAScript engine found, some scripts might no longer work.
org.zaproxy.zap.extension.soap.ExtensionImportWSDL - The Oracle Nashorn engine was not found, script variant will not be added.
org.zaproxy.addon.graphql.ExtensionGraphQl - The Oracle Nashorn engine was not found, script variant will not be added.

Would this also be solved by the weekly release? 

[Simon Bennetts]

No, thats related to the version of Java you are using.

Java 11 includes Oracle Nashorn but it is no longer present in 17+

So you either need to use Java 11 or use the GraalVM JavaScript engine.

Cheers,

Simon

[enterscanman]

Ah thanks. Don't want to downgrade Java so I'm taking the GraalVM route. I've got GraalVM installed, can you point me to documentation on configuring zap to work with GraalVM?

[enterscanman]

Actually I think I made some progress. I followed https://www.graalvm.org/latest/reference-manual/js/ with:

$GRAALVM/bin/gu install js

Then made sure GRAALVM was on my path before starting zap.

Now the first warning (org.zaproxy.zap.extension.script.ExtensionScript - No default JavaScript/ECMAScript engine found, some scripts might no longer work.) is gone, but the following warnings remain:

org.zaproxy.zap.extension.soap.ExtensionImportWSDL - The Oracle Nashorn engine was not found, script variant will not be added.
org.zaproxy.addon.graphql.ExtensionGraphQl - The Oracle Nashorn engine was not found, script variant will not be added.

[thc...@gmail.com]

In this case we are referring to script engine not the VM. You should
still use the normal Java VM.

Only one of the warnings can be solved currently, by updating the
graphql add-on. (You can add another -addoninstall argument.)

There's an issue for SOAP:
https://github.com/zaproxy/zaproxy/issues/6500

Best regards.

[enterscanman]

Success! Thanks all!