Executing installed applications not working

[Jim Solderitsch]

I used Zap 2.5 previously and installed nikto as an application.

It would run when invoked and I would see output in the Output tab.

When I installed 2.6, it seems to have remembered the app with the right path and options.

But when I try to run it, I see this in the output window:

[/Users/jjs/Downloads/nikto-2.1.5/nikto.pl, -host, http://localhost/, -port, 80]

but no output appears there.

If I take the expression in the brackets, remove the commas and run in a terminal, the application runs there.

Running on Mac OS X Sierra (latest revision).

Help appreciated.

[thc...@gmail.com]

Hi.

Any errors in the zap.log file? [1]

I guess the option Capture Output is set? (just confirming)


[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig

Best regards.

[Jim Solderitsch]

No errors related to app execution. I did report an issue not being able to launch a browser with the new feature in 2.6 and there are errors related to that.

I have Capture output ON.

[Jim Solderitsch]

I tried Zap 2.5 that was still installed and nikto ran there and produced output.

[thc...@gmail.com]

Thanks! Could you check the add-on version that you are using in ZAP
2.5? (That's shown in a tool tip in Manage Add-ons dialogue. [1])

Raised an issue:
https://github.com/zaproxy/zaproxy/issues/3960


[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons

Best regards.

[Jim Solderitsch]

For the Invoke Applications add-on, I see status of beta, a version of 4 and a Not Before Version of 2.4.1 in ZAP 2.5

[Jim Solderitsch]

For the Invoke Applications Add-on in ZAP 2.6, the add-on version is 6 rather than 4. The changes message there is: Properly split application arguments. Do you specific application arguments differently now?

[thc...@gmail.com]

Thanks for the information!

Would you mind trying the latest version of Invoke Applications add-on
in ZAP 2.6.0? (Can be updated from within ZAP through the Manage Add-ons
dialogue.)
The latest version will report in the Output tab (and log to zap.log)
any error occurred while starting the application (which might be the
case here).

> Do you specific application arguments differently now?

Well, they are specified in the same way but the tags (e.g. %url%) are
now replaced per argument passed to the application (to ensure that each
replaced tag is treated as one whole argument).

Best regards.

[Jim Solderitsch]

Error in Output Tab:

[/Users/jjs/Downloads/nikto-2.1.5/nikto.pl, -host, http://localhost/, -port, 80]

Failed to start/invoke the application:

Cannot run program "/Users/jjs/Downloads/nikto-2.1.5/nikto.pl" (in directory "/Users/jjs/Downloads/nikto-2.1.5"): error=0, spawn failed

Error in log:

2017-10-19 16:58:07,611 WARN  InvokeAppWorker - Failed to start the process: Cannot run program "/Users/jjs/Downloads/nikto-2.1.5/nikto.pl" (in directory "/Users/jjs/Downloads/nikto-2.1.5"): error=0, spawn failed

java.io.IOException: Cannot run program "/Users/jjs/Downloads/nikto-2.1.5/nikto.pl" (in directory "/Users/jjs/Downloads/nikto-2.1.5"): error=0, spawn failed

at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)

at org.zaproxy.zap.extension.invoke.InvokeAppWorker.doInBackground(InvokeAppWorker.java:118)

at org.zaproxy.zap.extension.invoke.InvokeAppWorker.doInBackground(InvokeAppWorker.java:39)

at javax.swing.SwingWorker$1.call(SwingWorker.java:295)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at javax.swing.SwingWorker.run(SwingWorker.java:334)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.io.IOException: error=0, spawn failed

at java.lang.UNIXProcess.forkAndExec(Native Method)

at java.lang.UNIXProcess.<init>(UNIXProcess.java:247)

at java.lang.ProcessImpl.start(ProcessImpl.java:134)

at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)

... 8 more

[thc...@gmail.com]

OK, that does not seem to be a problem with the add-on. Would you mind
trying the latest version of the add-on with ZAP 2.5.0?

Thanks!
Best regards.

[kingthorin+owaspzap]

Are the permissions for nikto.pl executable? Does it run properly straight from the command line?

[Jim Solderitsch]

How will I be able to use the newer app add-on with 2.5? Will I be able to update to this version? I reported higher up in this thread what version I used there before.

[Jim Solderitsch]

Yes, nikto's permissions are right. I can execute it from the command line.

[Jim Solderitsch]

Can I downgrade to the old version if the new one is broken in 2.5 as well?

[thc...@gmail.com]

The newer version works fine in 2.5, you can manually install it with
File > Load Add-on file... [1]


Yes, you can downgrade to the older version (same way as above, it's
still available to download from zap-extensions [2]), in fact you can
try the older version in ZAP 2.6.0, that would be fine too and probably
easier. (Note that you might need to uninstall the newer version first,
ZAP will not install if it's an older add-on version).


[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuFile
[2]
https://github.com/zaproxy/zap-extensions/releases/download/2.5/invoke-beta-4.zap

Best regards.

[Jim Solderitsch]

I can  no longer start ZAP 2.5. I can still start 2.6.

I get this error for 2.5:

Failed to start ZAP

 

Message:

    java.lang.NoSuchFieldError: API_NONCE_PARAM

Level:

    SEVERE

Stack Trace:

API_NONCE_PARAM

    org.zaproxy.zap.extension.plugnhack.ExtensionPlugNHack. (Unknown Source)

    sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

    java.lang.reflect.Constructor.newInstance(Constructor.java:423)

    org.zaproxy.zap.control.AddOnLoaderUtils.loadAndInstantiateClassImpl(Unknown Source)

    org.zaproxy.zap.control.AddOnLoaderUtils.loadAndInstantiateClass(Unknown Source)

    org.zaproxy.zap.control.AddOnLoader.loadAddOnExtension(Unknown Source)

    org.zaproxy.zap.control.AddOnLoader.loadAddOnExtensions(Unknown Source)

    org.zaproxy.zap.control.AddOnLoader.getExtensions(Unknown Source)

    org.zaproxy.zap.control.AddOnLoader.getExtensions(Unknown Source)

    org.zaproxy.zap.control.ExtensionFactory.loadAllExtension(Unknown Source)

    org.parosproxy.paros.control.Control.addExtension(Unknown Source)

    org.parosproxy.paros.control.AbstractControl.loadExtension(Unknown Source)

    org.parosproxy.paros.control.Control.init(Unknown Source)

    org.parosproxy.paros.control.Control.initSingletonWithView(Unknown Source)

    org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(Unknown Source)

    org.zaproxy.zap.GuiBootstrap.access$100(Unknown Source)

    org.zaproxy.zap.GuiBootstrap$2.run(Unknown Source)

    java.lang.Thread.run(Thread.java:745)

[Jim Solderitsch]

I did learn how to uninstall the beta 7 add-on and installed the beta 4 add-on for launching applications.

beta 4 does NOT work with ZAP 2.6.

I see no errors in zap.log.

[Jim Solderitsch]

Figured out the start problem for 2.5. I had updated my 2.6 release to install the plugnhack extension. This affected 2.5 badly as the error message indicates.

I uninstalled plugnhack and then 2.5 started up OK.

Then I installed the beta 7 version for the app invoker extension.

This works for me in ZAP 2.5 -- the nikto app runs -- the output window output also shows the app runner version change caused a few other add-on changes as well:

Uninstalled add-on Invoke Applications version 4

Downloading https://github.com/zaproxy/zap-extensions/releases/download/2.5/spiderAjax-release-17.zap to /Users/jjs/Library/Application Support/ZAP/plugin/spiderAjax-release-17.zap

Downloading https://github.com/zaproxy/zap-extensions/releases/download/2.5/selenium-release-9.zap to /Users/jjs/Library/Application Support/ZAP/plugin/selenium-release-9.zap

Installing new add-on Invoke Applications version 7

Replacing add-on Ajax Spider version 16

Uninstalled add-on Ajax Spider version 16

Installing new add-on Ajax Spider version 17

Installing new add-on Selenium version 9

[/Users/jjs/Downloads/nikto-2.1.5/nikto.pl, -host, http://localhost/, -port, 80]

- Nikto v2.1.5

---------------------------------------------------------------------------

+ Target IP:          127.0.0.1

+ Target Hostname:    localhost

+ Target Port:        80

+ Start Time:         2017-10-21 15:58:08 (GMT-4)

---------------------------------------------------------------------------

+ Server: Apache/2.4.16 (Unix) OpenSSL/1.0.1p PHP/5.6.12 mod_perl/2.0.8-dev Perl/v5.16.3

+ Retrieved x-powered-by header: PHP/5.6.12

+ The anti-clickjacking X-Frame-Options header is not present.

+ Root page / redirects to: http://localhost/dashboard/

+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x78ae 0x4303112ee9900 

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-3268: /webalizer/: Directory indexing found.

+ OSVDB-3268: /img/: Directory indexing found.

+ OSVDB-3092: /img/: This might be interesting...

+ Cookie phpMyAdmin created without the httponly flag

+ Uncommon header 'x-ob_mode' found, with contents: 1

+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ OSVDB-3268: /icons/: Directory indexing found.

+ Uncommon header 'x-frame-options' found, with contents: DENY

+ Uncommon header 'content-security-policy' found, with contents: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;;style-src 'self' 'unsafe-inline' ;img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;

+ Uncommon header 'x-webkit-csp' found, with contents: default-src 'self' ;script-src 'self'  'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;

+ Uncommon header 'x-content-security-policy' found, with contents: default-src 'self' ;options inline-script eval-script;img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;

+ OSVDB-6694: /.DS_Store: Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version.

+ OSVDB-3233: /icons/README: Apache default file found.

+ /phpmyadmin/: phpMyAdmin directory found

+ 6544 items checked: 0 error(s) and 18 item(s) reported on remote host

+ End Time:           2017-10-21 15:58:20 (GMT-4) (12 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

[thc...@gmail.com]

Thanks for all the tests! Looks like an issue with bundled JRE in ZAP
2.6.0 (permissions maybe?).

I'll update the issue with the latest information.

Best regards.

[Jim Solderitsch]

So can you run ZAP with the version of Java you can reach via the command line rather than with the bundled JRE?

If so, how can this be done?

I did not touch permissions for the bundled JRE for either ZAP 2.5 or 2.6 and 2.5 works but 2.6 does not.

Thanks!

[Jim Solderitsch]

Downloaded the linux version and ran the command zap.sh in a Mac OS terminal window.

Using this approach, the application invocation WORKS for me using beta 7 of the add-on!. There are some GUI glitches in ZAP though -- clicking an item makes it invisible -- like in the sites tree view. This is rather a major glitch for usability.

AND the browser invocation problem I reported in another post to this group is also resolved with the command line invocation approach to running ZAP. I can invoke an installed browser from the main ZAP window and run JxBrowser as well. This was not possible when running ZAP 2.6 installed via the Mac OS dmg installer.

So it does look like a packaging problem for Mac OS X.

[thc...@gmail.com]

Thank you! Really appreciate all the work you have done!

> So it does look like a packaging problem for Mac OS X.

Indeed seems to be an issue with the macOS installer :/

> There are some GUI glitches in ZAP though -- clicking an
> item makes it invisible -- like in the sites tree view. This is rather a
> major glitch for usability.

Yes, that's fixed in the weekly releases. [1]


[1] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly

Best regards.

[Jim Solderitsch]

Yes, I can confirm that the weekly release fixes the tree view GUI glitch for me.

I will put this version through its paces.

Jim

[Jim Solderitsch]

In using the weekly version, I found a similar tree view GUI glitch in the Payloads tree browser interface:

Clicking an item makes the text disappear. Is this a known issue?

[thc...@gmail.com]

No, that's new (it has the same cause as the issue in the Sites tree
though).

An issue has been raised:
https://github.com/zaproxy/zaproxy/issues/3988

Thanks!
Best regards.

On 25/10/17 21:21, Jim Solderitsch wrote:
> In using the weekly version, I found a similar tree view GUI glitch in the
> Payloads tree browser interface:
>

> <https://lh3.googleusercontent.com/-Y55fkYGI9K0/WfDyAVkTIKI/AAAAAAAAA8M/Darh5fyymJYoWKkVjrsDL905UwFNTRvfQCLcBGAs/s1600/ZAPGUIGlitch.png>