ZAP-Baseline Scan returns error: Unable to find script while loading Script Based Authentication Method for name: script.zst

968 views
Skip to first unread message

Ivy Martin

unread,
Aug 19, 2019, 5:05:38 AM8/19/19
to OWASP ZAP User Group
Context:
I tried to perform a passive scan using the zap-baseline.py from the terminal. I entered the docker container and successfully mounted the all zap related scripts (context, scripts, etc) in zap/wrk. The scan was successful. However, the following error was found in the output file (Note: this is only visible from the log file and not from CLI):
Unable to find script while loading Script Based Authentication Method for name: script.zst


I performed the scan using the following command:
zap-baseline.py -t host -r report.html -n host.context

Additional Information:
Issue is REPRODUCIBLE from the ZAP UI

Software versions:

  • ZAP: v2.8.0
  • Add-on: N/A
  • OS: macOS v1.13.6
  • Java version "1.8.0_151"
  • Browser: N/A

I have checked my directories and scripts, and it exists. It should be loaded successfully, but that wasn't the case. 

Does this happen to anyone? What am I missing?


Simon Bennetts

unread,
Aug 19, 2019, 5:21:11 AM8/19/19
to OWASP ZAP User Group
Scripts can be a little bit tricky with ZAP running in Docker.
What path name is being used for the script in the context file? Is that the same one that the script is copied to in docker?
If you've copied there from your desktop config then ZAP might be looking in ~/ZAP/scripts instead of zap/wrk

thc...@gmail.com

unread,
Aug 19, 2019, 10:05:07 AM8/19/19
to zaprox...@googlegroups.com
Also, ZAP does not add/load scripts by default, you need to do that
beforehand (e.g. with ZAP API, replacing the config.xml, -config argument).

Best regards.

On 19/08/2019 10:21, Simon Bennetts wrote:
> Scripts can be a little bit tricky with ZAP running in Docker.
> What path name is being used for the script in the context file? Is that
> the same one that the script is copied to in docker?
> If you've copied there from your desktop config then ZAP might be looking
> in ~/ZAP/scripts instead of zap/wrk
>
> On Monday, 19 August 2019 11:05:38 UTC+2, Ivy Martin wrote:
>>
>> Context:
>> I tried to perform a *passive* scan using the zap-baseline.py from the
>> terminal. I entered the docker container and successfully mounted the all
>> zap related scripts (context, scripts, etc) in zap/wrk. The scan was
>> successful. However, the following error was found in the output file (Note:
>> this is only visible from the log file and not from CLI):
>> Unable to find script while loading Script Based Authentication Method for
>> name: script.zst
>>
>>
>> I performed the scan using the following command:
>> zap-baseline.py -t host -r report.html -n host.context
>>
>> Additional Information:
>> Issue is REPRODUCIBLE from the ZAP UI
>>
>> Software versions:
>>
>> - ZAP: v2.8.0
>> - Add-on: N/A
>> - OS: macOS v1.13.6
>> - Java version "1.8.0_151"
>> - Browser: N/A
Message has been deleted

Ivy Martin

unread,
Aug 20, 2019, 3:35:24 AM8/20/19
to OWASP ZAP User Group
Hi,

I have added the file path using -config argument but it was still not successful.  The same script was used when we tried to execute it via ZAP UI and it was successful. The command used is as follows:

zap-baseline.py -t host -r report.html -n file.context -z "-config script.scripts.name=“Login.zst" -config script.script.engine=“MozillaZest" -config script.script.type=authentication -config script.script.enabled=true -config script.script.file="zap/wrk/scripts/authentication/Login.zst"

The following error was outputted in the output file:

Found Java version 1.8.0_212

Available memory: 1999 MB

Using JVM args: -Xmx499m

0 [main] INFO org.zaproxy.zap.DaemonBootstrap  - OWASP ZAP 2.8.0 started 20/08/19 04:11:34 with home /home/zap/.ZAP/

37 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.disablekey = true was true

37 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.addrs.addr.name = .* was .*

38 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config api.addrs.addr.regex = true was true

38 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config spider.maxDuration = 1 was 1

38 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config script.scripts.name = Login.zst was PII Disclosure

39 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config script.script.engine = MozillaZest was MozillaZest

39 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config script.script.type = authentication was authentication

40 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config script.script.enabled = true was true

40 [main] INFO org.parosproxy.paros.common.AbstractParam  - Setting config script.script.file = zap/wrk/scripts/authentication/Login.zst was /home/zap/.ZAP/scripts/scripts/authentication/Login.zst

52 [main] INFO org.parosproxy.paros.network.SSLConnector  - Reading supported SSL/TLS protocols...

52 [main] INFO org.parosproxy.paros.network.SSLConnector  - Using a SSLEngine...

140 [main] INFO org.parosproxy.paros.network.SSLConnector  - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

144 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate  - Unsafe SSL renegotiation disabled.

549 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache open start

557 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache open end

640 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Loading extensions

1867 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Installed add-ons: [[id=alertFilters, version=8.0.0], [id=ascanrules, version=33.0.0], [id=bruteforce, version=8.0.0], [id=diff, version=9.0.0], [id=directorylistv1, version=3.0.0], [id=fuzz, version=11.0.0], [id=gettingStarted, version=10.0.0], [id=help, version=9.0.0], [id=hud, version=0.6.0], [id=importurls, version=6.0.0], [id=invoke, version=9.0.0], [id=jxbrowser, version=14.0.0], [id=jxbrowserlinux64, version=12.0.0], [id=onlineMenu, version=6.0.0], [id=pscanrules, version=24.0.0], [id=pscanrulesBeta, version=19.0.0], [id=quickstart, version=26.0.0], [id=replacer, version=7.0.0], [id=reveal, version=2.0.0], [id=saverawmessage, version=4.0.0], [id=savexmlmessage, version=0.0.1], [id=scripts, version=25.0.0], [id=selenium, version=15.0.0], [id=spiderAjax, version=23.0.0], [id=tips, version=6.0.0], [id=webdriverlinux, version=11.0.0], [id=websocket, version=20.0.0], [id=zest, version=29.0.0]]

2202 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Extensions loaded

2431 [ZAP-daemon] INFO org.zaproxy.zap.extension.jxbrowser.ExtensionJxBrowser  - Using version 6.23.1 of JxBrowser.

2433 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows ZAP to check for updates

2438 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Options Extension

2438 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Edit Menu Extension

2438 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides a rest based API for controlling and accessing ZAP

2449 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Session State Extension

2449 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Report Extension

2449 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing History Extension

2450 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Show hidden fields and enable disabled fields

2451 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Search messages for strings and regular expressions

2452 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Encode/Decode/Hash...

2452 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to intercept and modify requests and responses

2454 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive scanner

2536 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Script Passive Scan Rules

2536 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Stats Passive Scan Rule

2538 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Application Error Disclosure

2538 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Absence of Anti-CSRF Tokens

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Charset Mismatch

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: CSP Scanner

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Content-Type Header Missing

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie No HttpOnly Flag

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Loosely Scoped Cookie

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without Secure Flag

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Web Browser XSS Protection Not Enabled

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Debug Error Messages

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Weak Authentication Method

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Insecure JSF ViewState

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Secure Pages Include Mixed Content

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Private IP Disclosure

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Session ID in URL Rewrite

2539 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Viewstate Scanner

2540 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Content-Type-Options Header Missing

2540 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Frame-Options Header Scanner

2540 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cookie Without SameSite Attribute

2540 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Cross-Domain Misconfiguration

2540 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in URL

2540 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Information Disclosure - Suspicious Comments

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: HTTP Parameter Override

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Timestamp Disclosure

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Username Hash Found

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-AspNet-Version Response Header Scanner

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: X-Debug-Token Information Leak

2541 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan  - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

2565 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to view and manage alerts

2566 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added

2577 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Spider used for automatically finding URIs on a site

2587 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing A set of common popup menus for miscellaneous tasks

2587 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool

2588 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Manual Request Editor Extension

2589 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Compares 2 sessions and generates an HTML file showing the differences

2589 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Invoke external applications passing context related information such as URLs and parameters

2589 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Handles anti cross site request forgery (CSRF) tokens

2593 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Authentication Extension

2614 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication  - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]

2616 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser

2662 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Logs errors to the Output tab in development mode only

2662 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Users Extension

2665 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Summarise and analyse FORM and URL parameters as well as cookies

2665 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Script integration

2689 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Scripting console, supports all JSR 223 scripting languages

2887 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Forced User Extension

2888 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Extension handling HTTP sessions

2889 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools

3015 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionDiff

3015 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Post Table View Extension

3015 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Session Management Extension

3019 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement  - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management]

3019 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Form Table View Extension

3019 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Capture messages from WebSockets with the ability to set breakpoints.

3028 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree

3029 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Core UI related functionality.

3029 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Authorization Extension

3029 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing AJAX Spider, uses Crawljax

3030 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.

3035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Manages the local proxy configurations

3035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Handles adding Global Excluded URLs

3035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds menu item to refresh the Sites tree

3035 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing OWASP ZAP User Guide

3036 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides a URL suitable for calling from target sites

3037 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows you to configure which extensions are loaded when ZAP starts

3037 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Combined HTTP Panels Extension

3037 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Hex View Extension

3037 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Image View Extension

3037 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Large Request View Extension

3038 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Large Response View Extension

3038 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Query Table View Extension

3038 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing HTTP Panel Syntax Highlighter View Extension

3038 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.

3038 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active and passive rule configuration

3041 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Statistics

3042 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats  - Start recording in memory stats

3043 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.

3044 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows to fuzz HTTP messages.

3044 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing The Online menu links

3044 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSaveRawHttpMessage

3044 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionJxBrowserLinux64

3044 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtSelJxBrowserLinux64

3051 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Active Scan Rules

3051 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionSaveXMLHttpMessage

3051 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionJxBrowser

3051 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Tips and Tricks

3051 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Easy way to replace strings in requests and responses

3054 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing The ZAP Getting Started Guide

3054 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive Scan Rules

3055 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Context alert rules filter

3056 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Adds the Quick Start panel for scanning and exploring applications

3058 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Add the option to use the Ajax Spider in the Quick Start scan

3058 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Launch browsers proxying through ZAP

3058 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Launch browsers proxying through ZAP

3059 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Heads Up Display

3141 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing ExtensionHUDlaunch

3143 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Allows to fuzz WebSocket messages.

3143 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader  - Initializing Passive Scan Rules - beta

3345 [ZAP-daemon] INFO org.zaproxy.zap.extension.callback.ExtensionCallback  - Started callback server on 0.0.0.0:44365

8570 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on update check complete

8573 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine  - Add-on already installed: /home/zap/.ZAP/plugin/pscanrulesBeta-beta-19.zap

8573 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 0.0.0.0:33397

9543 [ZAP-ProxyThread-2] INFO org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType  - Loaded script:Login.zst

9788 [ZAP-ProxyThread-2] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType  - Unable to load Script Based Authentication method. The script Login.zst does not properly implement the Authentication Script interface.

9869 [ZAP-ProxyThread-2] ERROR org.zaproxy.zap.extension.api.ContextAPI  - 

java.lang.NullPointerException


Simon Bennetts

unread,
Aug 20, 2019, 3:40:17 AM8/20/19
to OWASP ZAP User Group
Try using an absolute path rather than a relative one, ie for "zap/wrk/scripts/authentication/Login.zst"

Ivy Martin

unread,
Aug 20, 2019, 4:19:53 AM8/20/19
to OWASP ZAP User Group
From the output log, the Login.zst file was successfully loaded. But it says that the script "does not properly implement the Authentication Script interface".
We have executed the same script via ZAP UI but the issue is not reproducible. 
I have changed the path but the same error was returned.

Peter Hauschulz

unread,
Aug 20, 2019, 4:56:05 AM8/20/19
to OWASP ZAP User Group
Not sure if relevant but it looks like you have an odd number of quotes around the -config scripts.name portion, and I have mine setting the script engine with a space in it and quotes rather than a single word

ie

-config "script.scripts.engine=Mozilla Zest"




....... "-config script.scripts.name=“Login.zst" .........

Ivy Martin

unread,
Aug 20, 2019, 5:08:47 AM8/20/19
to OWASP ZAP User Group
I have tried the following command but the same error was returned:
zap-baseline.py -t host -r report.html -n file.context -z "-config script.scripts.name=Login.zst -config script.script.engine=MozillaZest -config script.script.type=authentication -config script.script.enabled=true -config script.script.file=/Users/tester/Documents/testing/project/zap/scripts/authentication/Login.zst"




p/s: There's a typo in original command. The original command is as follows:

Peter Hauschulz

unread,
Aug 20, 2019, 5:12:39 AM8/20/19
to OWASP ZAP User Group
and what about with 'Mozilla Zest' instead of 'MozillaZest' ?

thc...@gmail.com

unread,
Aug 20, 2019, 5:13:58 AM8/20/19
to zaprox...@googlegroups.com
Also, there's a typo in some of the keys, the prefix should be
script.scripts instead of script.script

Ivy Martin

unread,
Aug 20, 2019, 5:17:19 AM8/20/19
to OWASP ZAP User Group
The same error was returned.

Ivy Martin

unread,
Aug 21, 2019, 12:27:43 AM8/21/19
to OWASP ZAP User Group
In summary, we are still unable to perform a passive scan using zap baseline in docker with scripts supplied.

What we have tried:
  • Added config argument into the zap baseline syntax

    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name="Login.zst" -config script.script.engine="MozillaZest" -config script.script.type=authentication -config script.script.enabled=true -config script.script.file="/zap/wrk/scripts/authentication/Login.zst""

  • Added absolute path into the zap baseline syntax

    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name="Login.zst" -config script.script.engine="MozillaZest" -config script.script.type=authentication -config script.script.enabled=true -config script.script.file="/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst""

  • Use script.scripts instead of script.script

    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name="Login.zst" -config script.scripts.engine="MozillaZest" -config script.scripts.type=authentication -config script.scripts.enabled=true -config script.scripts.file="/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst""

  • Use single quote for config value
    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name='Login.zst' -config script.scripts.engine='MozillaZest' -config script.scripts.type=authentication -config script.scripts.enabled=true -config script.scripts.file='/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst'"

  • Use Mozilla Zest instead of MozillaZest
    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name='Login.zst' -config script.scripts.engine='Mozilla Zest' -config script.scripts.type=authentication -config script.scripts.enabled=true -config script.scripts.file='/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst'"

    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name="Login.zst" -config script.scripts.engine="Mozilla Zest" -config script.scripts.type=authentication -config script.scripts.enabled=true -config script.scripts.file="/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst""

  • Use only Open and Close quote for  config argument
    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name=Login.zst -config script.scripts.engine=Mozilla Zest -config script.scripts.type=authentication -config script.scripts.enabled=true -config script.scripts.file=/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst"

    • zap-baseline.py -t host -r report.html -n project.context -z "-config script.scripts.name=Login.zst -config script.scripts.engine=MozillaZest -config script.scripts.type=authentication -config script.scripts.enabled=true -config script.scripts.file=/home/zap/.ZAP/authentication/scripts/scripts/zap/wrk/Login.zst"

Error message for all of the above commands:

4502 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 0.0.0.0:xxxxx

5443 [ZAP-ProxyThread-2] INFO org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType  - Loaded script:Login.zst

5444 [ZAP-ProxyThread-2] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType  - Unable to load Script Based Authentication method. The script Login.zst does not properly implement the Authentication Script interface.

5511 [ZAP-ProxyThread-2] ERROR org.zaproxy.zap.extension.api.ContextAPI  - 

java.lang.NullPointerException

    at org.zaproxy.zap.utils.EncodingUtils.mapToString(EncodingUtils.java:31)

    at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType.persistMethodToSession(ScriptBasedAuthenticationMethodType.java:720)

    at org.zaproxy.zap.extension.authentication.ExtensionAuthentication.persistContextData(ExtensionAuthentication.java:312)

    at org.parosproxy.paros.model.Model.saveContext(Model.java:529)

    at org.parosproxy.paros.model.Session.saveContext(Session.java:1250)

    at org.parosproxy.paros.model.Session.importContext(Session.java:1543)

    at org.zaproxy.zap.extension.api.ContextAPI.handleApiAction(ContextAPI.java:204)

    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:499)

    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)

    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)

    at java.lang.Thread.run(Thread.java:748)

11636 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on host at Wed Aug 21 04:04:45 UTC 2019

Peter Hauschulz

unread,
Aug 21, 2019, 2:10:03 AM8/21/19
to OWASP ZAP User Group
let's take a look at the script itself then!


do you get the same result running a headless scan on your local machine?


CI/CD ZAP

unread,
May 5, 2021, 10:30:44 AM5/5/21
to OWASP ZAP User Group
Hello,

I was going through this chain. Did you get the solution ? i have been facing same issue and not yet got resolution.

Thank you.

Reply all
Reply to author
Forward
0 new messages