Context file doesn't apply for ZAP docker scans
857 views
Skip to first unread message
Oleg Rybchenko
Jan 17, 2023, 9:36:27 AM1/17/23
to OWASP ZAP User Group
Hello,
I am just at the beginning of ZAP automation via Docker. And need some help.
This post is very similar to https://groups.google.com/g/zaproxy-users/c/UhT8jjXxjcU/m/2UMsOXFNBgAJ
So what do I have:
1. I've pulled zap-docker-stable image
2. I've created a context file via ZAP UI. And it works (every login procceed with forced user's creds)
3. I use: docker run -v $(pwd):/zap/wrk/:rw --rm --net zapnet -t owasp/zap2docker-stable zap-baseline.py -t https://target-site.com -g gen.conf -r testreport.html -n supa_drupa.context -d
In fact no matter what scan I choose - there's no way ZAP using my context file. Spidering takes not more than 2 mins in full-scan mode.
Where shall I place my context file?
Cheers,
I am just at the beginning of ZAP automation via Docker. And need some help.
This post is very similar to https://groups.google.com/g/zaproxy-users/c/UhT8jjXxjcU/m/2UMsOXFNBgAJ
So what do I have:
1. I've pulled zap-docker-stable image
2. I've created a context file via ZAP UI. And it works (every login procceed with forced user's creds)
3. I use: docker run -v $(pwd):/zap/wrk/:rw --rm --net zapnet -t owasp/zap2docker-stable zap-baseline.py -t https://target-site.com -g gen.conf -r testreport.html -n supa_drupa.context -d
In fact no matter what scan I choose - there's no way ZAP using my context file. Spidering takes not more than 2 mins in full-scan mode.
Where shall I place my context file?
Cheers,
Simon Bennetts
Jan 17, 2023, 9:43:48 AM1/17/23
to OWASP ZAP User Group
You are mapping your current working directory (cwd) to /zap/wrk/
So supa_drupa.context should be in your cwd.
On the baseline command you should specify "-n /zap/wrk/supa_drupa.context"
Cheers,
Simon
Oleg Rybchenko
Jan 17, 2023, 10:16:41 AM1/17/23
to OWASP ZAP User Group
Unfortunately it doesn't work.
But I think there are two possible reasons why:
1. While using ZAP UI I've added _xsrf token to CSRF config because I use this as a POST param in form-based auth. If I understand correctly it will be replaced after next login attempt. But I think I should prvide this config to docker command as well.
2. I've noticed that there is some problem with https connection as it returns 504 status code :
2023-01-17 14:59:08,409 Starting new HTTPS connection (1): https://target-site.com:443
^[[15~2023-01-17 14:59:29,145 https://target-site.com:443 "GET / HTTP/1.1" 504 180
The second problem appears from time to time. The result of these runs are 0 warn/fails found.
And this is weired, because previously the same docker run but without context ended with normal report
But I think there are two possible reasons why:
1. While using ZAP UI I've added _xsrf token to CSRF config because I use this as a POST param in form-based auth. If I understand correctly it will be replaced after next login attempt. But I think I should prvide this config to docker command as well.
2. I've noticed that there is some problem with https connection as it returns 504 status code :
2023-01-17 14:59:08,409 Starting new HTTPS connection (1): https://target-site.com:443
^[[15~2023-01-17 14:59:29,145 https://target-site.com:443 "GET / HTTP/1.1" 504 180
The second problem appears from time to time. The result of these runs are 0 warn/fails found.
And this is weired, because previously the same docker run but without context ended with normal report
вторник, 17 января 2023 г. в 17:43:48 UTC+3, psi...@gmail.com:
kingthorin+owaspzap
Jan 17, 2023, 12:05:15 PM1/17/23
to OWASP ZAP User Group
Sounds like you've got networking issues.
Oleg Rybchenko
Jan 18, 2023, 2:22:37 AM1/18/23
to OWASP ZAP User Group
Hello,
Yes, that's all because we use proxy in our test environment.
Tried the same with prod env and everything turned to be ok.
Can you please guide me where to read about configuring the proxy in ZAP?
And maybe there's a way to copy ZAP UI config to use it in docker scans? Because in my ZAP UI everything is great and I can easily connect my test env.
Thanks for help!
Yes, that's all because we use proxy in our test environment.
Tried the same with prod env and everything turned to be ok.
Can you please guide me where to read about configuring the proxy in ZAP?
And maybe there's a way to copy ZAP UI config to use it in docker scans? Because in my ZAP UI everything is great and I can easily connect my test env.
Thanks for help!
вторник, 17 января 2023 г. в 20:05:15 UTC+3, kingthorin+owaspzap:
Simon Bennetts
Jan 18, 2023, 4:22:09 AM1/18/23
to OWASP ZAP User Group
See:
- https://www.zaproxy.org/docs/desktop/addons/network/options/connection/#http-proxy
- https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
The plan is to make it easy to copy ZAP UI configs by creating an Automation Framework (AF) plan.
Unforunately the AF doesnt currently support proxying directly, so you will still have to use the "-config" options with the AF as well.
Cheers,
Simon
Oleg Rybchenko
Jan 18, 2023, 8:23:41 AM1/18/23
to OWASP ZAP User Group
Thanks for the answer!
I've noticed that I can import my custom CA Certificate to ZAP with commandline param -certload
So I tried this way:
1. Launch a container in interactive mode with my cert:
docker run -v $(pwd):/zap/wrk/:rw --rm -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -certload path_to_cert.file -config connection.proxyChain.enabled=true -config connection.proxyChain.hostName=proxy_address -config connection.proxyChain.port=1234
2. Then go into container with:
docker exec -it {container} bash
3. Launch the scan I want:
zap-baseline.py -t https://site_with_proxy.com -g gen.conf -r testreport.html -n /zap/wrk/test.context -d
But on 1st step ZAP didn't use my cert but created it's own:
5436 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - Creating new root CA certificate.
7566 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New root CA certificate created.
What am I doing wrong? =)
I've noticed that I can import my custom CA Certificate to ZAP with commandline param -certload
So I tried this way:
1. Launch a container in interactive mode with my cert:
docker run -v $(pwd):/zap/wrk/:rw --rm -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -certload path_to_cert.file -config connection.proxyChain.enabled=true -config connection.proxyChain.hostName=proxy_address -config connection.proxyChain.port=1234
2. Then go into container with:
docker exec -it {container} bash
3. Launch the scan I want:
zap-baseline.py -t https://site_with_proxy.com -g gen.conf -r testreport.html -n /zap/wrk/test.context -d
But on 1st step ZAP didn't use my cert but created it's own:
5436 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - Creating new root CA certificate.
7566 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New root CA certificate created.
What am I doing wrong? =)
среда, 18 января 2023 г. в 12:22:09 UTC+3, psi...@gmail.com:
thc...@gmail.com
Jan 18, 2023, 8:43:53 AM1/18/23
to zaprox...@googlegroups.com
ZAP creates its own certificate first/always, if for whatever reason the
provided certificate is not loaded ZAP will still have a valid one.
You should be seeing a message like "Root CA certificate loaded from …"
or an error message, e.g. "Cannot read file …", after the messages you
quoted.
Are you not?
Note that ZAP does not expect its home to be shared between ZAP
instances. You should start ZAP with -cmd not -daemon to ensure that all
the options are saved to the configuration file and let the instance
started by zap-baseline.py have exclusive access to the home.
Best regards.
On 18/01/2023 13:23, Oleg Rybchenko wrote:
> Thanks for the answer!
>
> I've noticed that I can import my custom CA Certificate to ZAP with
> commandline param -certload
> So I tried this way:
>
> 1. Launch a container in interactive mode with my cert:
> docker run -v $(pwd):/zap/wrk/:rw --rm -u zap -p 8080:8080 -i
> owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config
> api.disablekey=true *-certload path_to_cert.file* -config
>> https://www.zaproxy.org/docs/desktop/addons/network/options/connection/#http-proxy
>> -
provided certificate is not loaded ZAP will still have a valid one.
You should be seeing a message like "Root CA certificate loaded from …"
or an error message, e.g. "Cannot read file …", after the messages you
quoted.
Are you not?
Note that ZAP does not expect its home to be shared between ZAP
instances. You should start ZAP with -cmd not -daemon to ensure that all
the options are saved to the configuration file and let the instance
started by zap-baseline.py have exclusive access to the home.
Best regards.
On 18/01/2023 13:23, Oleg Rybchenko wrote:
> Thanks for the answer!
>
> I've noticed that I can import my custom CA Certificate to ZAP with
> commandline param -certload
> So I tried this way:
>
> 1. Launch a container in interactive mode with my cert:
> docker run -v $(pwd):/zap/wrk/:rw --rm -u zap -p 8080:8080 -i
> owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config
> connection.proxyChain.enabled=true -config
> connection.proxyChain.hostName=proxy_address -config
> connection.proxyChain.port=1234
> 2. Then go into container with:
> docker exec -it {container} bash
> 3. Launch the scan I want:
> zap-baseline.py -t https://site_with_proxy.com -g gen.conf -r
> testreport.html -n /zap/wrk/test.context -d
>
> But on 1st step ZAP didn't use my cert but created it's own:
> 5436 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork -
> Creating new root CA certificate.
> 7566 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New
> root CA certificate created.
>
> What am I doing wrong? =)
> среда, 18 января 2023 г. в 12:22:09 UTC+3, psi...@gmail.com:
>
>> See:
>>
>> -
> connection.proxyChain.hostName=proxy_address -config
> connection.proxyChain.port=1234
> 2. Then go into container with:
> docker exec -it {container} bash
> 3. Launch the scan I want:
> zap-baseline.py -t https://site_with_proxy.com -g gen.conf -r
> testreport.html -n /zap/wrk/test.context -d
>
> But on 1st step ZAP didn't use my cert but created it's own:
> 5436 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork -
> Creating new root CA certificate.
> 7566 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New
> root CA certificate created.
>
> What am I doing wrong? =)
> среда, 18 января 2023 г. в 12:22:09 UTC+3, psi...@gmail.com:
>
>> See:
>>
>> https://www.zaproxy.org/docs/desktop/addons/network/options/connection/#http-proxy
>> -
Oleg Rybchenko
Jan 19, 2023, 1:00:43 AM1/19/23
to OWASP ZAP User Group
Hello!
Thanks to your help I think I've managed to cope with this problem.
The thing was that I tried to access my proxied env from local machine but each attempt to connect gave me 504 Error.
Moved everything into this proxied env and launched scans again and it worked.
Thanks again for guiding me!
Have a good time!
Cheers
Oleg!
Thanks to your help I think I've managed to cope with this problem.
The thing was that I tried to access my proxied env from local machine but each attempt to connect gave me 504 Error.
Moved everything into this proxied env and launched scans again and it worked.
Thanks again for guiding me!
Have a good time!
Cheers
Oleg!
среда, 18 января 2023 г. в 16:43:53 UTC+3, thc202:
Simon Bennetts
Jan 19, 2023, 4:32:43 AM1/19/23
to OWASP ZAP User Group
Thanks for letting us know!
If you can think of any way ZAP could have reported problems which would have helped you fix your problem more quickly then do let us know.
Cheers,
Simon
Oleg Rybchenko
Jan 19, 2023, 8:00:18 AM1/19/23
to OWASP ZAP User Group
Hello Simon,
Sure, I'll think about how to do this and return with any useful info.
Thanks again for your help!)
Sure, I'll think about how to do this and return with any useful info.
Thanks again for your help!)
четверг, 19 января 2023 г. в 12:32:43 UTC+3, psi...@gmail.com:
Oleg Rybchenko
Jan 20, 2023, 2:12:54 AM1/20/23
to OWASP ZAP User Group
So there's a point.
Just before ZAP starts spidering the site, it makes an attempt to open new HTTPS connection like this:
2023-01-20 07:01:59,765 Starting new HTTPS connection (1): example.com:443
2023-01-20 07:02:00,520 https://example.com:443 "GET / HTTP/1.1" 404 146
If we use proxy and try to reach site with HTTPS we'll recieve 502 error code on the second line.
After this ZAP will continue spidering and active scanning. Total ammount of links found wolud be few.
I think we can help user to highlight this 502 error code when he use -d flag of debug.
Cheers,
Oleg
Just before ZAP starts spidering the site, it makes an attempt to open new HTTPS connection like this:
2023-01-20 07:01:59,765 Starting new HTTPS connection (1): example.com:443
2023-01-20 07:02:00,520 https://example.com:443 "GET / HTTP/1.1" 404 146
If we use proxy and try to reach site with HTTPS we'll recieve 502 error code on the second line.
After this ZAP will continue spidering and active scanning. Total ammount of links found wolud be few.
I think we can help user to highlight this 502 error code when he use -d flag of debug.
Cheers,
Oleg
четверг, 19 января 2023 г. в 16:00:18 UTC+3, Oleg Rybchenko:
Simon Bennetts
Jan 20, 2023, 5:03:35 AM1/20/23
to OWASP ZAP User Group
Hi Oleg,
What command line are you using now?
The baseline scan should exit early if it fails to access the specified site.
Cheers,
Simon
Oleg Rybchenko
Jan 23, 2023, 2:55:29 AM1/23/23
to OWASP ZAP User Group
Hi Simon!
Now everything is ok with launching scans through my proxy env.
I use standard command like this:
docker run -v $(pwd):/zap/wrk/:rw --rm -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com -g gen.conf -r testreport.html -n /zap/wrk/test.context -d
The problem was that I've tried to run this from my local machine but not inside my proxy env. So I managed to move completely into this proxy env and run this command again and this worked. I wrote my upper comment just to mention that the only thing to indicate that something goes wrong was 502 Error I got. And it will be great for furuther to highlight this error in code)
Cheers, Oleg
P.S. But I came across another issue I'd like to mention in another topic =)
Now everything is ok with launching scans through my proxy env.
I use standard command like this:
docker run -v $(pwd):/zap/wrk/:rw --rm -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com -g gen.conf -r testreport.html -n /zap/wrk/test.context -d
The problem was that I've tried to run this from my local machine but not inside my proxy env. So I managed to move completely into this proxy env and run this command again and this worked. I wrote my upper comment just to mention that the only thing to indicate that something goes wrong was 502 Error I got. And it will be great for furuther to highlight this error in code)
Cheers, Oleg
P.S. But I came across another issue I'd like to mention in another topic =)
пятница, 20 января 2023 г. в 13:03:35 UTC+3, psi...@gmail.com:
Reply all
Reply to author
Forward
0 new messages