Soap Scan using Automation Framework.
187 views
Skip to first unread message
Sai Theja Pamarty
Jan 24, 2023, 5:37:41 AM1/24/23
to OWASP ZAP User Group
Hi,
I'm trying to perform soap scan through an automation framework.
config.yaml for soap scanning which I'm using is,
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
env:
contexts :
- name: context 1
urls:
- http://www.expample/app/v1.0?WSDL
authentication:
method:
parameters:
port: 8090
jobs:
- type: passiveScan-config
name: passiveScan-config
parameters:
maxAlertsPerRule: 0
maxBodySizeInBytesToScan: 0
- type: spider
name: spider
parameters:
acceptCookies: true
handleODataParametersVisited: false
handleParameters: USE_ALL
maxDepth: 5
maxDuration: 0
maxParseSizeBytes: 2621440
parseComments: true
parseGit: false
parseRobotsTxt: true
parseSVNEntries: false
parseSitemapXml: true
postForm: true
processForm: true
requestWaitTime: 200
sendRefererHeader: true
threadCount: 2
url: http://www.expample/app/v1.0?WSDL
- type: activeScan
name: activeScan
parameters:
addQueryParam: false
delayInMs: 0
handleAntiCSRFTokens: true
injectPluginIdInHeader: false
maxRuleDurationInMins: 0
maxScanDurationInMins: 0
scanHeadersAllRequests: false
threadPerHost: 2
- type: soap
name: soap
parameters:
wsdlfile:
wsdlUrl: http://www.expample/app/v1.0?WSDL
- type: outputSummary
name: outputSummary
parameters:
format: LONG
summaryFile: /opt/SP/devops/DevOpsShare/ZaProxy/reports/zapOS.json
- type: report
name: report
parameters:
displayReport: false
reportDescription:
reportDir: /ZaProxy/reports
reportFile: zapsoap.html
reportTitle: ZAP Scanning Report
template: risk-confidence-html
theme: null
env:
contexts :
- name: context 1
urls:
- http://www.expample/app/v1.0?WSDL
authentication:
method:
parameters:
port: 8090
jobs:
- type: passiveScan-config
name: passiveScan-config
parameters:
maxAlertsPerRule: 0
maxBodySizeInBytesToScan: 0
- type: spider
name: spider
parameters:
acceptCookies: true
handleODataParametersVisited: false
handleParameters: USE_ALL
maxDepth: 5
maxDuration: 0
maxParseSizeBytes: 2621440
parseComments: true
parseGit: false
parseRobotsTxt: true
parseSVNEntries: false
parseSitemapXml: true
postForm: true
processForm: true
requestWaitTime: 200
sendRefererHeader: true
threadCount: 2
url: http://www.expample/app/v1.0?WSDL
- type: activeScan
name: activeScan
parameters:
addQueryParam: false
delayInMs: 0
handleAntiCSRFTokens: true
injectPluginIdInHeader: false
maxRuleDurationInMins: 0
maxScanDurationInMins: 0
scanHeadersAllRequests: false
threadPerHost: 2
- type: soap
name: soap
parameters:
wsdlfile:
wsdlUrl: http://www.expample/app/v1.0?WSDL
- type: outputSummary
name: outputSummary
parameters:
format: LONG
summaryFile: /opt/SP/devops/DevOpsShare/ZaProxy/reports/zapOS.json
- type: report
name: report
parameters:
displayReport: false
reportDescription:
reportDir: /ZaProxy/reports
reportFile: zapsoap.html
reportTitle: ZAP Scanning Report
template: risk-confidence-html
theme: null
the command I'm using to call is,
/jvm/java-11-openjdk-11.0.17.0.8-2.0.1.el7_9.x86_64/bin/java -jar /ZaProxy/ZAP_2.12.0/zap-2.12.0.jar -cmd -autorun /ZaProxy/ConfigFolder/config.yaml
/jvm/java-11-openjdk-11.0.17.0.8-2.0.1.el7_9.x86_64/bin/java -jar /ZaProxy/ZAP_2.12.0/zap-2.12.0.jar -cmd -autorun /ZaProxy/ConfigFolder/config.yaml
The output I'm getting is,
Defaulting ZAP install dir to /ZaProxy/ZAP_2.12.0
1143 [main] INFO org.parosproxy.paros.Constant - Backing up config file to /.ZAP/config.xml.bak
1162 [main] INFO org.parosproxy.paros.Constant - Upgraded from 20011001
Job authentication set parameters = {port=8090}
Job passiveScan-config set maxAlertsPerRule = 0
Job passiveScan-config set maxBodySizeInBytesToScan = 0
Job spider set acceptCookies = true
Job spider set handleODataParametersVisited = false
Job spider set handleParameters = USE_ALL
Job spider set maxDepth = 5
Job spider set maxDuration = 0
Job spider set maxParseSizeBytes = 2,621,440
Job spider set parseComments = true
Job spider set parseGit = false
Job spider set parseRobotsTxt = true
Job spider set parseSVNEntries = false
Job spider set parseSitemapXml = true
Job spider set postForm = true
Job spider set processForm = true
Job spider set requestWaitTime = 200
Job spider set sendRefererHeader = true
Job spider set threadCount = 2
Job spider set url = http://www.expample/app/v1.0?WSDL
Job passiveScan-wait set maxDuration = 0
Job activeScan set addQueryParam = false
Job activeScan set delayInMs = 0
Job activeScan set handleAntiCSRFTokens = true
Job activeScan set injectPluginIdInHeader = false
Job activeScan set maxRuleDurationInMins = 0
Job activeScan set maxScanDurationInMins = 0
Job activeScan set scanHeadersAllRequests = false
Job activeScan set threadPerHost = 2
Job soap set wsdlUrl = http://www.expample/app/v1.0?WSDL
Job outputSummary set format = LONG
Job outputSummary set summaryFile = /ZaProxy/reports/zapOS.json
Job report set displayReport = false
Job report set reportDir = /ZaProxy/reports
Job report set reportFile = zapsoap.html
Job report set reportTitle = ZAP Scanning Report
Job report set template = risk-confidence-html
Job passiveScan-config started
Job passiveScan-config finished
Job spider started
Job spider requesting http://www.expample/app/v1.0?WSDL
Job spider found 0 URLs
Job spider finished
Job delay started
Job delay ended after specified time null
Job delay finished
Job passiveScan-wait started
Job passiveScan-wait finished
Job activeScan started
Job activeScan finished
Job soap started
Job soap finished
Job outputSummary started
Total of 5 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Re-examine Cache-control Directives [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Anti-clickjacking Header [10020]
PASS: X-Content-Type-Options Header Missing [10021]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Open Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Strict-Transport-Security Header [10035]
PASS: HTTP Server Response Header [10036]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: Content Security Policy (CSP) Header Not Set [10038]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 53
Job outputSummary finished
Job report started
Job report generated report /ZaProxy/reports/zapsoap.html
Job report finished
Automation plan succeeded!
but the report comes out like in the screenshot and the GUI's automated scan results are not the same (GUI has soap action spoofing and all. but this doesn't show them).
1143 [main] INFO org.parosproxy.paros.Constant - Backing up config file to /.ZAP/config.xml.bak
1162 [main] INFO org.parosproxy.paros.Constant - Upgraded from 20011001
Job authentication set parameters = {port=8090}
Job passiveScan-config set maxAlertsPerRule = 0
Job passiveScan-config set maxBodySizeInBytesToScan = 0
Job spider set acceptCookies = true
Job spider set handleODataParametersVisited = false
Job spider set handleParameters = USE_ALL
Job spider set maxDepth = 5
Job spider set maxDuration = 0
Job spider set maxParseSizeBytes = 2,621,440
Job spider set parseComments = true
Job spider set parseGit = false
Job spider set parseRobotsTxt = true
Job spider set parseSVNEntries = false
Job spider set parseSitemapXml = true
Job spider set postForm = true
Job spider set processForm = true
Job spider set requestWaitTime = 200
Job spider set sendRefererHeader = true
Job spider set threadCount = 2
Job spider set url = http://www.expample/app/v1.0?WSDL
Job passiveScan-wait set maxDuration = 0
Job activeScan set addQueryParam = false
Job activeScan set delayInMs = 0
Job activeScan set handleAntiCSRFTokens = true
Job activeScan set injectPluginIdInHeader = false
Job activeScan set maxRuleDurationInMins = 0
Job activeScan set maxScanDurationInMins = 0
Job activeScan set scanHeadersAllRequests = false
Job activeScan set threadPerHost = 2
Job soap set wsdlUrl = http://www.expample/app/v1.0?WSDL
Job outputSummary set format = LONG
Job outputSummary set summaryFile = /ZaProxy/reports/zapOS.json
Job report set displayReport = false
Job report set reportDir = /ZaProxy/reports
Job report set reportFile = zapsoap.html
Job report set reportTitle = ZAP Scanning Report
Job report set template = risk-confidence-html
Job passiveScan-config started
Job passiveScan-config finished
Job spider started
Job spider requesting http://www.expample/app/v1.0?WSDL
Job spider found 0 URLs
Job spider finished
Job delay started
Job delay ended after specified time null
Job delay finished
Job passiveScan-wait started
Job passiveScan-wait finished
Job activeScan started
Job activeScan finished
Job soap started
Job soap finished
Job outputSummary started
Total of 5 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Re-examine Cache-control Directives [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Anti-clickjacking Header [10020]
PASS: X-Content-Type-Options Header Missing [10021]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Open Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Strict-Transport-Security Header [10035]
PASS: HTTP Server Response Header [10036]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: Content Security Policy (CSP) Header Not Set [10038]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 53
Job outputSummary finished
Job report started
Job report generated report /ZaProxy/reports/zapsoap.html
Job report finished
Automation plan succeeded!
but the report comes out like in the screenshot and the GUI's automated scan results are not the same (GUI has soap action spoofing and all. but this doesn't show them).
I've also tried other reports like modern, high-level-report, tradition-html-plus. everything comes out without vulnerabilities and the CSS script, like the photo attached.
Am I using the config.yaml correctly to scan soap URL?
Thanks & Regards
Sai Theja Pamarty
Am I using the config.yaml correctly to scan soap URL?
Thanks & Regards
Sai Theja Pamarty
Simon Bennetts
Jan 24, 2023, 6:25:03 AM1/24/23
to OWASP ZAP User Group
The jobs are run in the order they are defined in the yaml file.
This means you are loading the SOAP definition _after_ running the active scanner - the active scanner will not be run against any of the URLs imported by the soap job :(
You need to laod it before the activeScan job, I'd actually put it before the spider one too, especially as that found no URLs.
Cheers,
Simon
Sai Theja Pamarty
Jan 25, 2023, 6:11:05 AM1/25/23
to OWASP ZAP User Group
Hi,
Using GUI, I imported wsdl url and used an automated scan. I'm getting vulnerabilities related to soap. But when I'm trying to use the automate scan with a pre-loaded template, made for soap. I'm not getting any vulnerabilities.
is there any way to mimic the automated scan, in the automation tab of ZAP GUI or in the YAML template?
is there any way to mimic the automated scan, in the automation tab of ZAP GUI or in the YAML template?
Thanks & Regards
Sai Theja Pamarty
Simon Bennetts
Jan 25, 2023, 6:19:41 AM1/25/23
to OWASP ZAP User Group
Yes, the AF should support pretty much everything needed to scan SOAP.
The key thing is getting the plan right - your original one was wrong.
If you can share your new plan (suitably redacted) then we can check it again.
Cheers,
Simon
Sai Theja Pamarty
Jan 30, 2023, 5:23:05 AM1/30/23
to OWASP ZAP User Group
Hi,
In the output report, I'm getting the following message, "No alerts were found within the report parameters".
Thanks & Regards
I'm using the default SOAP plan available in the automation framework in ZAP GUI.
The plan I'm using is,
The plan I'm using is,
---
env:
contexts:
- name: "Default Context"
urls:
includePaths: []
excludePaths: []
authentication:
parameters: {}
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
sessionManagement:
method: "cookie"
parameters: {}
technology:
exclude: []
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
wsdlFile: ""
wsdlUrl: "
http://www.emaple.com/ws/vs?WSDL"
name: "soap"
type: "soap"
- parameters:
context: "Default Context"
user: ""
url: "
http://www.emaple.com/ws/vs?WSDL"
maxDuration: 0
maxDepth: 0
maxChildren: 0
name: "spider"
type: "spider"
tests:
- onFail: "INFO"
statistic: "automation.spider.urls.added"
site: ""
operator: ">="
value: 100
name: "At least 100 URLs found"
type: "stats"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
context: "Default Context"
user: ""
policy: ""
maxRuleDurationInMins: 0
maxScanDurationInMins: 0
policyDefinition:
defaultStrength: "medium"
defaultThreshold: "medium"
rules: []
name: "activeScan"
type: "activeScan"
- parameters:
template: "risk-confidence-html"
theme: "original"
reportDir: "C:\\Users\\p\\Desktop\\zap"
reportFile: ""
reportTitle: "ZAP Scanning Report"
reportDescription: ""
displayReport: true
risks:
- "info"
- "low"
- "medium"
- "high"
confidences:
- "falsepositive"
- "low"
- "medium"
- "high"
- "confirmed"
sections:
- "siteRiskCounts"
- "responseBody"
- "appendix"
- "alertTypes"
- "responseHeader"
- "alertTypeCounts"
- "riskConfidenceCounts"
- "alerts"
- "aboutThisReport"
- "contents"
- "requestBody"
- "reportDescription"
- "reportParameters"
- "requestHeader"
- "summaries"
name: "report"
type: "report"
In the output report, I'm getting the following message, "No alerts were found within the report parameters".
Thanks & Regards
Sai Theja
Simon Bennetts
Jan 30, 2023, 5:29:48 AM1/30/23
to OWASP ZAP User Group
Hi Sai,
By defining your context as http://www.emaple.com/ws/vs?WSDL you probably cannot import an of the OPEN API endpoints, unless they all start with that URL.
So if your API definition includes links to endpoints like http://www.emaple.com/api/... then they will not be in scope as they are not under http://www.emaple.com/ws/vs?WSDL
Use http://www.emaple.com/ as the first URL and then see how many URLs are imported by the openapi job.
Cheers,
Simon
Sai Theja Pamarty
Feb 1, 2023, 3:12:10 AM2/1/23
to OWASP ZAP User Group
Hi,
Is there any way to do multiple scans for soap URLs by providing multiple URLs and wsdl URLs under the soap section? If generated will it come under one report or will it produce multiple?
Is there any way to do multiple scans for soap URLs by providing multiple URLs and wsdl URLs under the soap section? If generated will it come under one report or will it produce multiple?
Thanks & Regards
Sai Theja Pamarty
Sai Theja Pamarty
Feb 1, 2023, 3:33:14 AM2/1/23
to OWASP ZAP User Group
I'm also getting this error
SEVERE: SAAJ0552: XML declaration parsing failed
Feb 01, 2023 8:14:18 AM com.sun.xml.messaging.saaj.soap.SOAPPartImpl lookForXmlDecl
SEVERE: SAAJ0552: XML declaration parsing failed
Feb 01, 2023 8:14:18 AM com.sun.xml.messaging.saaj.soap.SOAPPartImpl lookForXmlDecl
but the report is getting generated.
Simon Bennetts
Feb 1, 2023, 3:45:48 AM2/1/23
to OWASP ZAP User Group
You can add as many 'soap' jobs as you like.
However right now the report will contain everything - we do plan to make this more configurable at some point.
So right now I'd recommend scripting around the AF - you can use variables in order to specify different targets.
Cheers,
Simon
Simon Bennetts
Feb 1, 2023, 3:46:25 AM2/1/23
to OWASP ZAP User Group
Is there any more info in the zap.log file?
Sai Theja Pamarty
Feb 2, 2023, 7:35:59 AM2/2/23
to OWASP ZAP User Group
2023-02-02 12:28:32,768 [main ] ERROR WSDLCustomParser - Unable to communicate with SOAP server. Server may be not available.
javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:340) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) ~[?:?]
at sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:951) ~[?:?]
at sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:873) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:340) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) ~[?:?]
at sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:951) ~[?:?]
at sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:873) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
2023-02-02 12:29:10,689 [ZAP-telemetry-start] ERROR ExtensionCallHome - Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
Sai Theja Pamarty
Feb 2, 2023, 12:14:31 PM2/2/23
to OWASP ZAP User Group
Hi,
I'm also trying to use the scan using quickout. This suddenly stopped working.
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
I'm also trying to use the scan using quickout. This suddenly stopped working.
/usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.0.1.el7_9.x86_64/bin/java -Xmx7998m -XX:+UseG1GC -jar /ZaProxy/ZAP_2.12.0/zap-2.12.0.jar -cmd -quickurl http://www.example.com/Login.aspx -quickprogress -quickout /ZaProxy/reports/zap_report.html
I'm getting an informational alert every time.
I'm getting an informational alert every time.
2023-02-02 17:03:07,162 [ZAP-ActiveScanner-0] WARN DomXssScanRule - Skipping scanner, failed to start browser: Cannot find firefox binary in PATH. Make sure firefox is installed. OS appears to be: LINUX
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '', ip: '', os.name: 'Linux', os.arch: 'amd64', os.version: '3.10.0-1160.81.1.0.1.el7.x86_64', java.version: '11.0.17'
Driver info: driver.version: FirefoxDriver
2023-02-02 17:03:07,163 [ZAP-Scanner-0] INFO HostProcess - skipped plugin [failed to start or connect to the browser] http://10.196.150.192 | DomXssScanRule in 0.046s with 0 message(s) sent and 0 alert(s) raised.
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '', ip: '', os.name: 'Linux', os.arch: 'amd64', os.version: '3.10.0-1160.81.1.0.1.el7.x86_64', java.version: '11.0.17'
Driver info: driver.version: FirefoxDriver
2023-02-02 17:03:07,163 [ZAP-Scanner-0] INFO HostProcess - skipped plugin [failed to start or connect to the browser] http://10.196.150.192 | DomXssScanRule in 0.046s with 0 message(s) sent and 0 alert(s) raised.
2023-02-02 17:03:35,770 [ZAP-telemetry-start] ERROR ExtensionCallHome - Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
2023-02-02 17:03:51,292 [main ] ERROR ExtensionCallHome - Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
I also tried with an older version (2.11.1). I'm getting the first error (Cannot find firefox binary). Do I need to install firefox? I'm using CLI Linux.
Thanks & Regards
Sai Theja Pamarty
kingthorin+owaspzap
Feb 2, 2023, 12:41:27 PM2/2/23
to OWASP ZAP User Group
> javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]
Seems to be key. The server wants to use TLS10 (kinda pathetic in 2023, but it happens). But your client is set to a minimum of TLS12 (1.2). Depending what version of java you're using it may not allow you to use older broken TLS/SSL protocols.
"TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021" ➡ https://www.petefreitag.com/item/916.cfm
Sai Theja Pamarty
Feb 8, 2023, 2:35:13 AM2/8/23
to OWASP ZAP User Group
Hi,
[ZAP-telemetry-start] ERROR ExtensionCallHome - Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
So, ZAP is trying to connect through TLSv1.2 but the application or the URL I've provided for being scanned is expecting TLSv1.0. Is this correct?
Is there any setting for this in Config yaml file (automation framework)? If yes, then how to use it?
Is there any setting for this in Config yaml file (automation framework)? If yes, then how to use it?
[ZAP-telemetry-start] ERROR ExtensionCallHome - Connect to https://tel.zaproxy.org:443 [tel.zaproxy.org/172.67.129.53, tel.zaproxy.org/104.21.1.121] failed: connect timed out
For this, are there any settings in the Config File which I've used to set it as a Proxy or any other way?
Thanks & Regards
Sai Theja Pamarty
Reply all
Reply to author
Forward
0 new messages