ZAP Authentication in jenkins plugin
698 views
Skip to first unread message
Thilina Madhusanka
Sep 1, 2015, 2:03:28 AM9/1/15
to OWASP ZAP User Group
Hi
I have modified the existing [1] zaproxy jenkins plugin to use authentication .
any one want to test it works and do any suggestions or add methods or do modification can get it [2].
this plugin works with the new zap weekly relese [3] (recommend to use this, im using it to work with this)
thc...@gmail.com
Sep 2, 2015, 2:43:50 AM9/2/15
to zaprox...@googlegroups.com, zaproxy...@googlegroups.com
Hi.
Thanks for sharing!
CC'ing dev mailing list in case someone interested is not on the users list.
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Thanks for sharing!
CC'ing dev mailing list in case someone interested is not on the users list.
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
ryerson...@gmail.com
Sep 14, 2015, 1:46:29 PM9/14/15
to OWASP ZAP User Group
I downloaded the files off of github but i cannot find the .hpi file, is there a particular install method that i need to do? Thank you!
Thilina Madhusanka
Sep 14, 2015, 11:18:38 PM9/14/15
to OWASP ZAP User Group
Hi
Ill guide you through the process.
You have to buid it to get the .hpi file.
New version of the plugin [1] will be soon available to download.
Ill guide you through the process.
Download source code in [1] and extract it to some directory
Then navigate to that dir using terminal
then typ mvn install
it will take like 2 mins and then in that dir there will be a directory named target. in side you will find the .hpi file.
you need to have maven and maven path must be set. let me know if you need any help.
cheers
Thilina Madhusanka
Sep 14, 2015, 11:23:15 PM9/14/15
to OWASP ZAP User Group
Message has been deleted
ryerson...@gmail.com
Sep 16, 2015, 1:59:03 PM9/16/15
to OWASP ZAP User Group
Greatly appreciated, thank you! Going to try it right now.
ryerson...@gmail.com
Sep 16, 2015, 2:21:38 PM9/16/15
to OWASP ZAP User Group
I got the .hpi file. A couple questions if you don't mind.
In Jenkins, Manage Jenkins > Configure System
1) Do i need to have anything for the Maven Configurations or Maven Installations setup?
2) When adding Custom tool installation for Zap Proxy Plugin, would you mind posting a screenshot of your config settings please. The server is rejecting the connection to the tar.gz file because it no longer exists at the specified url.
3) Where do i enter the username and password for the site as well as it's method of authentication?
Really, thank you for taking the time to help, teach. I have been looking for the last couple days and couldn't make much progress.
Cheers.
In Jenkins, Manage Jenkins > Configure System
1) Do i need to have anything for the Maven Configurations or Maven Installations setup?
2) When adding Custom tool installation for Zap Proxy Plugin, would you mind posting a screenshot of your config settings please. The server is rejecting the connection to the tar.gz file because it no longer exists at the specified url.
3) Where do i enter the username and password for the site as well as it's method of authentication?
Really, thank you for taking the time to help, teach. I have been looking for the last couple days and couldn't make much progress.
Cheers.
Thilina Madhusanka Perera
Sep 20, 2015, 5:51:29 AM9/20/15
to OWASP ZAP User Group
Hi
Im same Thilina.
Now the new plugin has released so you can directly get it from Jenkins.
Here [1] i have also added the configuration details
Sorry about the late reply. If you need any help ill be happy to provide it
Cheers
ryerson...@gmail.com
Sep 22, 2015, 10:27:06 AM9/22/15
to OWASP ZAP User Group
Don't apologize, you're helping me! Thank you. I followed the wiki setup page and i still get errors. I do not have my pc in front of me but I'll post some of the errors if you don't mind and hopefully you'll be able to shed some light on the issue.
P.S. The .tar.gz file in the links under Custom Tools is a dead link (file does not exist).
P.S. The .tar.gz file in the links under Custom Tools is a dead link (file does not exist).
ryerson...@gmail.com
Sep 22, 2015, 10:41:09 AM9/22/15
to OWASP ZAP User Group
“zaproxy-plugin” configuration in jobs: ZAPROXY_HOME, where is that set and what is it actually pointing to?
Thilina Madhusanka
Sep 23, 2015, 12:27:32 AM9/23/15
to OWASP ZAP User Group
HI
I have set up ZAPROXY_HOME="path to may zap directory" , in /etc/ environment file witch has path variable setup
Put ZAPROXY_HOME in your etc/environment file like as ZAPROXY_HOME="YOur zap directory path"
cheers
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
ryerson...@gmail.com
Sep 23, 2015, 3:32:13 PM9/23/15
to OWASP ZAP User Group
Deleted my previous posts, i figured those issues out. This is a piece of the console log, i can post the full log if needed but do you have nay idea how to fix these issues. Or are they even issues at all?
Status spider = running
Alerts number = ApiResponseElement numberOfAlerts = 210
92344 [pool-2-thread-2] INFO com.crawljax.core.state.StateMachine - State state16 added to the StateMachine.
92344 [pool-2-thread-2] INFO com.crawljax.core.Crawler - New DOM is a new state! crawl depth is now 1
92390 [pool-2-thread-2] INFO com.crawljax.browser.WebDriverBackedEmbeddedBrowser - Closing the browser...
92390 [Thread-8] INFO com.crawljax.core.CrawlController - Received shutdown notice. Reason is Exausted
92529 [pool-2-thread-2] WARN org.openqa.selenium.os.ProcessUtils - Process refused to die after 10 seconds, and couldn't taskkill it
org.openqa.selenium.WebDriverException: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:123)
at org.openqa.selenium.os.CommandLine.execute(CommandLine.java:116)
at org.openqa.selenium.os.WindowsUtils.killPID(WindowsUtils.java:173)
at org.openqa.selenium.os.ProcessUtils.killWinProcess(ProcessUtils.java:138)
at org.openqa.selenium.os.ProcessUtils.killProcess(ProcessUtils.java:81)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.destroyHarder(UnixProcess.java:247)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.access$2(UnixProcess.java:246)
at org.openqa.selenium.os.UnixProcess.destroy(UnixProcess.java:125)
at org.openqa.selenium.os.CommandLine.destroy(CommandLine.java:153)
at org.openqa.selenium.firefox.FirefoxBinary.quit(FirefoxBinary.java:259)
at org.openqa.selenium.firefox.internal.NewProfileExtensionConnection.quit(NewProfileExtensionConnection.java:204)
at org.openqa.selenium.firefox.FirefoxDriver$LazyCommandExecutor.quit(FirefoxDriver.java:377)
at org.openqa.selenium.firefox.FirefoxDriver.stopClient(FirefoxDriver.java:323)
at org.openqa.selenium.remote.RemoteWebDriver.quit(RemoteWebDriver.java:467)
at com.crawljax.browser.WebDriverBackedEmbeddedBrowser.close(WebDriverBackedEmbeddedBrowser.java:328)
at com.crawljax.core.Crawler.close(Crawler.java:94)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:50)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:16)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.InterruptedException: sleep interrupted
at java.lang.Thread.sleep(Native Method)
at org.apache.commons.exec.DefaultExecuteResultHandler.waitFor(DefaultExecuteResultHandler.java:121)
at org.openqa.selenium.os.UnixProcess.waitFor(UnixProcess.java:139)
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:121)
... 21 more
92545 [pool-2-thread-2] ERROR com.crawljax.core.CrawlTaskConsumer - Unexpected error Process refused to die after 10 seconds, and couldn't taskkill it: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
java.lang.RuntimeException: Process refused to die after 10 seconds, and couldn't taskkill it: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
at org.openqa.selenium.os.ProcessUtils.killWinProcess(ProcessUtils.java:142)
at org.openqa.selenium.os.ProcessUtils.killProcess(ProcessUtils.java:81)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.destroyHarder(UnixProcess.java:247)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.access$2(UnixProcess.java:246)
at org.openqa.selenium.os.UnixProcess.destroy(UnixProcess.java:125)
at org.openqa.selenium.os.CommandLine.destroy(CommandLine.java:153)
at org.openqa.selenium.firefox.FirefoxBinary.quit(FirefoxBinary.java:259)
at org.openqa.selenium.firefox.internal.NewProfileExtensionConnection.quit(NewProfileExtensionConnection.java:204)
at org.openqa.selenium.firefox.FirefoxDriver$LazyCommandExecutor.quit(FirefoxDriver.java:377)
at org.openqa.selenium.firefox.FirefoxDriver.stopClient(FirefoxDriver.java:323)
at org.openqa.selenium.remote.RemoteWebDriver.quit(RemoteWebDriver.java:467)
at com.crawljax.browser.WebDriverBackedEmbeddedBrowser.close(WebDriverBackedEmbeddedBrowser.java:328)
at com.crawljax.core.Crawler.close(Crawler.java:94)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:50)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:16)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.openqa.selenium.WebDriverException: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:123)
at org.openqa.selenium.os.CommandLine.execute(CommandLine.java:116)
at org.openqa.selenium.os.WindowsUtils.killPID(WindowsUtils.java:173)
at org.openqa.selenium.os.ProcessUtils.killWinProcess(ProcessUtils.java:138)
... 18 more
Caused by: java.lang.InterruptedException: sleep interrupted
at java.lang.Thread.sleep(Native Method)
at org.apache.commons.exec.DefaultExecuteResultHandler.waitFor(DefaultExecuteResultHandler.java:121)
at org.openqa.selenium.os.UnixProcess.waitFor(UnixProcess.java:139)
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:121)
... 21 more
92547 [Thread-8] INFO com.crawljax.core.CrawlController - Shutdown process complete
92547 [Thread-8] INFO org.zaproxy.zap.extension.spiderAjax.SpiderThread - Stopping proxy...
92647 [Thread-8] INFO org.zaproxy.zap.extension.spiderAjax.SpiderThread - Proxy stopped.
Status spider = running
Alerts number = ApiResponseElement numberOfAlerts = 210
92344 [pool-2-thread-2] INFO com.crawljax.core.state.StateMachine - State state16 added to the StateMachine.
92344 [pool-2-thread-2] INFO com.crawljax.core.Crawler - New DOM is a new state! crawl depth is now 1
92390 [pool-2-thread-2] INFO com.crawljax.browser.WebDriverBackedEmbeddedBrowser - Closing the browser...
92390 [Thread-8] INFO com.crawljax.core.CrawlController - Received shutdown notice. Reason is Exausted
92529 [pool-2-thread-2] WARN org.openqa.selenium.os.ProcessUtils - Process refused to die after 10 seconds, and couldn't taskkill it
org.openqa.selenium.WebDriverException: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:123)
at org.openqa.selenium.os.CommandLine.execute(CommandLine.java:116)
at org.openqa.selenium.os.WindowsUtils.killPID(WindowsUtils.java:173)
at org.openqa.selenium.os.ProcessUtils.killWinProcess(ProcessUtils.java:138)
at org.openqa.selenium.os.ProcessUtils.killProcess(ProcessUtils.java:81)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.destroyHarder(UnixProcess.java:247)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.access$2(UnixProcess.java:246)
at org.openqa.selenium.os.UnixProcess.destroy(UnixProcess.java:125)
at org.openqa.selenium.os.CommandLine.destroy(CommandLine.java:153)
at org.openqa.selenium.firefox.FirefoxBinary.quit(FirefoxBinary.java:259)
at org.openqa.selenium.firefox.internal.NewProfileExtensionConnection.quit(NewProfileExtensionConnection.java:204)
at org.openqa.selenium.firefox.FirefoxDriver$LazyCommandExecutor.quit(FirefoxDriver.java:377)
at org.openqa.selenium.firefox.FirefoxDriver.stopClient(FirefoxDriver.java:323)
at org.openqa.selenium.remote.RemoteWebDriver.quit(RemoteWebDriver.java:467)
at com.crawljax.browser.WebDriverBackedEmbeddedBrowser.close(WebDriverBackedEmbeddedBrowser.java:328)
at com.crawljax.core.Crawler.close(Crawler.java:94)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:50)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:16)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.InterruptedException: sleep interrupted
at java.lang.Thread.sleep(Native Method)
at org.apache.commons.exec.DefaultExecuteResultHandler.waitFor(DefaultExecuteResultHandler.java:121)
at org.openqa.selenium.os.UnixProcess.waitFor(UnixProcess.java:139)
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:121)
... 21 more
92545 [pool-2-thread-2] ERROR com.crawljax.core.CrawlTaskConsumer - Unexpected error Process refused to die after 10 seconds, and couldn't taskkill it: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
java.lang.RuntimeException: Process refused to die after 10 seconds, and couldn't taskkill it: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
at org.openqa.selenium.os.ProcessUtils.killWinProcess(ProcessUtils.java:142)
at org.openqa.selenium.os.ProcessUtils.killProcess(ProcessUtils.java:81)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.destroyHarder(UnixProcess.java:247)
at org.openqa.selenium.os.UnixProcess$SeleniumWatchDog.access$2(UnixProcess.java:246)
at org.openqa.selenium.os.UnixProcess.destroy(UnixProcess.java:125)
at org.openqa.selenium.os.CommandLine.destroy(CommandLine.java:153)
at org.openqa.selenium.firefox.FirefoxBinary.quit(FirefoxBinary.java:259)
at org.openqa.selenium.firefox.internal.NewProfileExtensionConnection.quit(NewProfileExtensionConnection.java:204)
at org.openqa.selenium.firefox.FirefoxDriver$LazyCommandExecutor.quit(FirefoxDriver.java:377)
at org.openqa.selenium.firefox.FirefoxDriver.stopClient(FirefoxDriver.java:323)
at org.openqa.selenium.remote.RemoteWebDriver.quit(RemoteWebDriver.java:467)
at com.crawljax.browser.WebDriverBackedEmbeddedBrowser.close(WebDriverBackedEmbeddedBrowser.java:328)
at com.crawljax.core.Crawler.close(Crawler.java:94)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:50)
at com.crawljax.core.CrawlTaskConsumer.call(CrawlTaskConsumer.java:16)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.openqa.selenium.WebDriverException: java.lang.InterruptedException: sleep interrupted
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name: 'Windows 7', os.arch: 'amd64', os.version: '6.1', java.version: '1.8.0_45'
Driver info: driver.version: RemoteWebDriver
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:123)
at org.openqa.selenium.os.CommandLine.execute(CommandLine.java:116)
at org.openqa.selenium.os.WindowsUtils.killPID(WindowsUtils.java:173)
at org.openqa.selenium.os.ProcessUtils.killWinProcess(ProcessUtils.java:138)
... 18 more
Caused by: java.lang.InterruptedException: sleep interrupted
at java.lang.Thread.sleep(Native Method)
at org.apache.commons.exec.DefaultExecuteResultHandler.waitFor(DefaultExecuteResultHandler.java:121)
at org.openqa.selenium.os.UnixProcess.waitFor(UnixProcess.java:139)
at org.openqa.selenium.os.CommandLine.waitFor(CommandLine.java:121)
... 21 more
92547 [Thread-8] INFO com.crawljax.core.CrawlController - Shutdown process complete
92547 [Thread-8] INFO org.zaproxy.zap.extension.spiderAjax.SpiderThread - Stopping proxy...
92647 [Thread-8] INFO org.zaproxy.zap.extension.spiderAjax.SpiderThread - Proxy stopped.
Thilina Madhusanka
Sep 23, 2015, 11:33:20 PM9/23/15
to OWASP ZAP User Group
hi
I dont think these issue are from zaproxy plugin.
Your using newest version of plugin and the ZAP application ?
I think you should ask this one also from some one in ZAP. i cant seem to figure out the problem.
Is the report generate successfully ?
Cheers.
thc...@gmail.com
Sep 24, 2015, 3:47:20 AM9/24/15
to zaprox...@googlegroups.com
Hi.
Indeed, that's not related to the plugin.
The AJAX Spider seems to be failing to close the browser windows. If the
windows are not being closed you would have to close them manually
(otherwise you would end up with a lot of them).
Which Firefox version are you using? That shouldn't be happening with
the latest versions.
Best regards.
> <http://os.name>: 'Windows 7', os.arch: 'amd64', os.version: '6.1',
> <http://os.name>: 'Windows 7', os.arch: 'amd64', os.version: '6.1',
> <http://os.name>: 'Windows 7', os.arch: 'amd64', os.version: '6.1',
Indeed, that's not related to the plugin.
The AJAX Spider seems to be failing to close the browser windows. If the
windows are not being closed you would have to close them manually
(otherwise you would end up with a lot of them).
Which Firefox version are you using? That shouldn't be happening with
the latest versions.
Best regards.
> java.version: '1.8.0_45'
> Driver info: driver.version: RemoteWebDriver
> java.lang.RuntimeException: Process refused to die after 10 seconds,
> and couldn't taskkill it: java.lang.InterruptedException: sleep
> interrupted
> Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
> System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name
> <http://os.name>: 'Windows 7', os.arch: 'amd64', os.version: '6.1',
> Driver info: driver.version: RemoteWebDriver
> java.lang.RuntimeException: Process refused to die after 10 seconds,
> and couldn't taskkill it: java.lang.InterruptedException: sleep
> interrupted
> Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
> System info: host: 'testMachine', ip: 'xxx.xxx.xx.xx', os.name
Message has been deleted
ryerson...@gmail.com
Sep 24, 2015, 10:33:03 AM9/24/15
to OWASP ZAP User Group
Amazing! Thank you both so much :)
Updated: Plugin is 1.1.7 that i got off of the jenkins list.
Updated: ZAP was 2.4.2 (2015-09-07) but updated just now to the 2.4.2 weekly release (2015-09-21) which is giving me a different error.
Updated: Firefox was at 39 but updated now to 41 which seems to have solved the issue, the report is being generated and it is a thing of beauty.
The Spider URL As User is to have authentication for the active scan as well? My website uses a randomly generated unique token on page load to prevent cross site scripting (it is posted along with other parameters and not just the username and password), is there any way to get that token and post it as a parameter?
Updated: Plugin is 1.1.7 that i got off of the jenkins list.
Updated: ZAP was 2.4.2 (2015-09-07) but updated just now to the 2.4.2 weekly release (2015-09-21) which is giving me a different error.
Updated: Firefox was at 39 but updated now to 41 which seems to have solved the issue, the report is being generated and it is a thing of beauty.
The Spider URL As User is to have authentication for the active scan as well? My website uses a randomly generated unique token on page load to prevent cross site scripting (it is posted along with other parameters and not just the username and password), is there any way to get that token and post it as a parameter?
ryerson...@gmail.com
Sep 24, 2015, 11:21:06 AM9/24/15
to OWASP ZAP User Group
Just to elaborate a bit more and step back a little bit from the token
Target URL: https://dev.test.cf.mytestsite.ca/humanrights/
but then my login URL would be the same as my target URL?
because https://dev.test.cf.mytestsite.ca/ can have multiple pages under it such as
which i don't want to be checked.
My logout button is
What are the Q and E, regex?
Target URL: https://dev.test.cf.mytestsite.ca/humanrights/
but then my login URL would be the same as my target URL?
because https://dev.test.cf.mytestsite.ca/ can have multiple pages under it such as
which i don't want to be checked.
My logout button is
<div style="text-align:right"> <span style="..."><a href="/humanrights/?logout=UNIQUE_TOKEN"><img style="..." src="/humanrights/icons/log_out.png" />Logout</a></span> </div>I was looking at \\Q>ahref=\"../admin/logout_action.jsp\">Sign-out</a>\\E
What are the Q and E, regex?
ryerson...@gmail.com
Sep 24, 2015, 12:17:04 PM9/24/15
to OWASP ZAP User Group
I've been playing around with it and i'm trying to figure out if it logged me in or not, not sure how to tell. Also the report's the plugin is generating is different than when i do a manual zap spider + active scan. The plugin reports less issues for some reason.
ryerson...@gmail.com
Sep 24, 2015, 2:16:00 PM9/24/15
to OWASP ZAP User Group
SQl Injection Errors are the cause of the discrepancy. I am unsure of why they are being caused thought. I have everything at the most recent version.
http://pastebin.com/cMsWcnBu
http://pastebin.com/cMsWcnBu
Thilina Madhusanka
Sep 28, 2015, 12:25:33 AM9/28/15
to OWASP ZAP User Group
Hi
dose reports mismatch a lot?
All the URL's in the ZAP report are your website?
What kind of test result are missing?
I think You should seek help from some one in ZAP about the SQL error.
Cheers.
kingthorin+owaspzap
Sep 28, 2015, 7:35:01 AM9/28/15
to OWASP ZAP User Group
java.net.SocketException: Connection reset
Can be caused by a lot of things. Back timeout, firewall, IPS, overlong URL, etc. In order to troubleshoot we'd need more detail.
Can be caused by a lot of things. Back timeout, firewall, IPS, overlong URL, etc. In order to troubleshoot we'd need more detail.
kingthorin+owaspzap
Sep 28, 2015, 7:35:29 AM9/28/15
to OWASP ZAP User Group
That should have been "bad timeout" not "back".....
ryerson...@gmail.com
Sep 28, 2015, 1:00:57 PM9/28/15
to OWASP ZAP User Group
Thank you for the help, I will post both the ZAP plugin and the tool reports later today after they finish running.
ryerson...@gmail.com
Sep 28, 2015, 1:04:10 PM9/28/15
to OWASP ZAP User Group
What details can i contribute?
Simon Bennetts
Sep 28, 2015, 1:04:37 PM9/28/15
to OWASP ZAP User Group
Yes, there are a load of reasons why connections can fail, with application failure and IDSs being pretty common :)
I wouldnt worry about these sort of errors too much unless you see loads of them and/or your application stops responding.
I'm actually wondering if maybe we shouldnt log these as errors but instead show a count of failed requests that is shown in the Active Scan Progress Dialog.
That could be more useful..
Cheers,
Simon
I wouldnt worry about these sort of errors too much unless you see loads of them and/or your application stops responding.
I'm actually wondering if maybe we shouldnt log these as errors but instead show a count of failed requests that is shown in the Active Scan Progress Dialog.
That could be more useful..
Cheers,
Simon
ryerson...@gmail.com
Sep 30, 2015, 10:49:51 AM9/30/15
to OWASP ZAP User Group
I just found out that my manual test is not going through the entire site, will update this thread with more details and full reports once i am able to generate the full security report.
Albert
Dec 8, 2015, 8:15:33 AM12/8/15
to OWASP ZAP User Group
I am exactly in the same stage. I got zap poxy plugin running and being able to scan a local Webgoat running site.
I am trying to figure out if the Spider As User is actually login in. The result in the log seems to show a positive login but the spider ends at 0%.
Did you get any further on how to debug if login is happening? Or what actually needs to be set in the jerkins admin page? Attached my current configuration screenshot.
This my my current log:
13164 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Starting spider... 13190 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/WebGoat/login.mvc 13216 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/robots.txt 13223 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/sitemap.xml Status spider = 66% Alerts number = ApiResponseElement numberOfAlerts = 0 15508 [pool-1-thread-2] WARN org.zaproxy.zap.spider.URLCanonicalizer - Error while Processing URL in the spidering process (on base ): Host could not be reliably evaluated from: http://getbootstrap.com) Status spider = 45% Alerts number = ApiResponseElement numberOfAlerts = 0 16120 [pool-1-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down... 16129 [Thread-7] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true Skip Ajax spidering the site [http://localhost:8080/WebGoat/login.mvc] Setting up Authentication URL http://localhost:8080/WebGoat/login.mvc added to Context [2] Form Based Authentication added to context Logged in indicator <a\s+(?:[^>]*?\s+)?href="([^"]*)" added to context New user added. username :guest User : guest is now Enabled Spider the site [http://localhost:8080/WebGoat/login.mvc] as user [guest] 18138 [Thread-8] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on SpiderApi-1 at Fri Dec 04 13:28:09 CET 2015 18144 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Spider initializing... 18145 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Starting spider... 18145 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: guest 18145 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/WebGoat/login.mvc 18195 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/robots.txt 18197 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/sitemap.xml 18199 [pool-2-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: guest Status spider = 0% Alerts number = ApiResponseElement numberOfAlerts = 0 19111 [pool-2-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: guest 19713 [pool-2-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down... 19768 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true Scan the site [http://localhost:8080/WebGoat/login.mvc] Scan url [http://localhost:8080/WebGoat/login.mvc] with the policy by default 20812 [ZAP-ProxyThread-25] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal
wade.sc...@gmail.com
Feb 18, 2016, 5:10:50 PM2/18/16
to OWASP ZAP User Group, thil...@wso2.com
I'm having the same problem with my set up. Did you ever find the solution to this?
Reply all
Reply to author
Forward
0 new messages