Use zest scripting from command line
425 views
Skip to first unread message
martin...@jpower8.cz
Jan 25, 2017, 7:04:10 AM1/25/17
to OWASP ZAP User Group
Hi, I try to create a zest script to access URL and make a scan then (see attached zst file). The script works ok when I run it from GUI, but when run from command line:
zap -cmd -script "attack url.zst"
it does not do anything. I checked code in mozilla-zest-0.12.jar and found in ZestActionScan:
public String invoke(ZestResponse response, ZestRuntime runtime) throws ZestActionFailException {
throw new ZestActionFailException(this);
}
Is that supposed to work somehow ?
Thank you
Martin
Simon Bennetts
Jan 25, 2017, 7:11:41 AM1/25/17
to OWASP ZAP User Group
You can run Zest scripts from the command-line without ZAP: https://github.com/mozilla/zest/wiki/Commandline
However that wont help you in this case as you want to invoke a scan.
Zest doesnt 'natively' support the scan action as it doesnt have a scanning engine, this is optionally provided by tools like ZAP.
So what you are trying to do _should_ work.
Are there any errors in the zap.log file?
Cheers,
Simon
However that wont help you in this case as you want to invoke a scan.
Zest doesnt 'natively' support the scan action as it doesnt have a scanning engine, this is optionally provided by tools like ZAP.
So what you are trying to do _should_ work.
Are there any errors in the zap.log file?
Cheers,
Simon
Simon Bennetts
Jan 25, 2017, 7:17:24 AM1/25/17
to OWASP ZAP User Group
For info the relevant bit of code in the ZAP Zest add-on which implements this functionality is hooked in here: https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/zest/ZestZapRunner.java#L260-L261
martin...@jpower8.cz
Jan 25, 2017, 8:50:37 AM1/25/17
to OWASP ZAP User Group
I dont have ZestZapRunner in my stack, my stack trace actually looks like :
Dne středa 25. ledna 2017 13:17:24 UTC+1 Simon Bennetts napsal(a):
org.mozilla.zest.core.v1.ZestActionFailException
at org.mozilla.zest.core.v1.ZestActionScan.invoke(ZestActionScan.java:76)
at org.mozilla.zest.impl.ZestBasicRunner.handleAction(ZestBasicRunner.java:227)
at org.mozilla.zest.impl.ZestBasicRunner.runStatement(ZestBasicRunner.java:195)
at org.mozilla.zest.impl.ZestBasicRunner.run(ZestBasicRunner.java:142)
at org.mozilla.zest.impl.ZestBasicRunner.run(ZestBasicRunner.java:98)
at org.mozilla.zest.impl.ZestBasicRunner.runScript(ZestBasicRunner.java:435)
at org.mozilla.zest.impl.ZestScriptEngine.eval(ZestScriptEngine.java:49)
at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264)
at org.zaproxy.zap.extension.script.ExtensionScript.invokeScriptImpl(ExtensionScript.java:1043)
at org.zaproxy.zap.extension.script.ExtensionScript.invokeScript(ExtensionScript.java:982)
at org.zaproxy.zap.extension.script.ExtensionScript.openCmdLineFile(ExtensionScript.java:1462)
at org.zaproxy.zap.extension.script.ExtensionScript.execute(ExtensionScript.java:1474)
at org.parosproxy.paros.extension.ExtensionLoader.runCommandLine(ExtensionLoader.java:427)
at org.parosproxy.paros.control.Control.runCommandLine(Control.java:314)
at org.zaproxy.zap.CommandLineBootstrap.start(CommandLineBootstrap.java:77)
at org.zaproxy.zap.ZAP.main(ZAP.java:98)
I'm running from zaproxy Github repo in my IDE, and I put all the plugins into bin/plugin folder:
alertFilters-beta-3.zap
ascanrules-release-23.zap
bruteforce-beta-5.zap
coreLang-release-10.zap
diff-beta-6.zap
directorylistv1-release-3.zap
fuzz-beta-5.zap
gettingStarted-release-5.zap
help-release-6.zap
invoke-beta-3.zap
onlineMenu-release-4.zap
pscanrules-release-16.zap
quickstart-release-20.zap
Readme.txt
reveal-release-2.zap
saverawmessage-release-3.zap
scripts-beta-16.zap
selenium-release-5.zap
spiderAjax-release-17.zap
tips-beta-5.zap
websocket-release-11.zap
zest-beta-21.zap
Is there any preferred / proven way how to debug zap plugins inside running zap ?
Thanks
M.
Dne středa 25. ledna 2017 13:17:24 UTC+1 Simon Bennetts napsal(a):
martin...@jpower8.cz
Jan 25, 2017, 9:50:52 AM1/25/17
to OWASP ZAP User Group
When running from SAME IDE, only with GUI (no -cmd parameter), the stack is different:
java.lang.Exception:
at org.parosproxy.paros.core.scanner.Scanner.start(Scanner.java:148)
at org.zaproxy.zap.extension.zest.ZestZapRunner.invokeScan(Unknown Source)
at org.zaproxy.zap.extension.zest.ZestZapRunner.handleAction(Unknown Source)
at org.mozilla.zest.impl.ZestBasicRunner.runStatement(ZestBasicRunner.java:195)
at org.zaproxy.zap.extension.zest.ZestZapRunner.runStatement(Unknown Source)
at org.mozilla.zest.impl.ZestBasicRunner.run(ZestBasicRunner.java:142)
at org.zaproxy.zap.extension.zest.ZestZapRunner.run(Unknown Source)
at org.mozilla.zest.impl.ZestBasicRunner.run(ZestBasicRunner.java:98)
at org.zaproxy.zap.extension.zest.ZestZapRunner.run(Unknown Source)
at org.mozilla.zest.impl.ZestBasicRunner.runScript(ZestBasicRunner.java:435)
at org.mozilla.zest.impl.ZestScriptEngine.eval(ZestScriptEngine.java:49)
at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264)
at org.zaproxy.zap.extension.script.ExtensionScript.invokeScriptImpl(ExtensionScript.java:1043)
at org.zaproxy.zap.extension.script.ExtensionScript.invokeScript(ExtensionScript.java:982)
at org.zaproxy.zap.extension.scripts.ConsolePanel$ScriptExecutorThread.run(ConsolePanel.java:449)
I debugged so far that org.mozilla.zest.impl.ZestScriptEngineFactory#setRunner() is called with ZestZapRunner as parameter. That does only happen when running from GUI. Maybe I found a new bug in Scripting or Zest extension?
M.
Dne středa 25. ledna 2017 13:17:24 UTC+1 Simon Bennetts napsal(a):
For info the relevant bit of code in the ZAP Zest add-on which implements this functionality is hooked in here: https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/zest/ZestZapRunner.java#L260-L261
Reply all
Reply to author
Forward
0 new messages