ZAP: missing_parameter
495 views
Skip to first unread message
Jack Cook
Mar 30, 2023, 8:30:18 PM3/30/23
to OWASP ZAP User Group
Hi there,
I'm trying to run a security scan of my application per the CASA audit using the instructions provided here.
When I run the scan, I get this error message:
15383 [ZAP-IO-Server-1-2] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/spider/action/scanAsUser/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: missing_parameter
org.zaproxy.zap.extension.api.ApiException: missing_parameter
Although I cannot identify what the missing parameter is. I've included a User and authentication methods as well as an include RegEx. Any ideas?
Thanks!
Simon Bennetts
Mar 31, 2023, 4:30:38 AM3/31/23
to OWASP ZAP User Group
The "-n /Users/DemoUser/Documents/Context.context" part looks wrong to me.
That folder will not be mounted and so the file will not be accessible.
I would expect it to be something more like "-n /zap/wrk/Context.context" assuming that you put the context file in your cwd.
Cheers,
Simon
Simon Bennetts
Mar 31, 2023, 4:51:13 AM3/31/23
to OWASP ZAP User Group
CASA do not appear to be very good at sharing ways to get in contact with themselves ;)
I've raised this issue: https://github.com/appdefensealliance/ASA/issues/9
If anyone else has any better contact options then please let me know, either here or via a direct email.
Cheers,
Simon
Jack Cook
Apr 3, 2023, 2:25:35 PM4/3/23
to OWASP ZAP User Group
Thanks for getting back to me! I think the issue is exacerbated by the fact that we use Firebase as an authentication mechanism - there's no straightforward POST login form or JSON endpoint. In attempting to mimic the user flow as closely as possible, is it possible to create an Authentication Script that does the following:
1. Navigates to our login URL.
2. Sets a username in the username input selector.
3. Sets a password in the password input selector.
4. Clicks the "Submit" button.
As far as I can tell I cannot access DOM elements in Authentication scripts, but perhaps I'm wrong about that?
Thanks!
Jack
Simon Bennetts
Apr 4, 2023, 5:07:43 AM4/4/23
to OWASP ZAP User Group
Hi Jack,
Thats exactly what the new Browser Based Authentication Method does :D
Try that and let us know if it works for you.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages