Can not access ZAP API from Docker (HELP NEED IT HERE 🚨)

[Luis Matos]

Hi guys,

I'm trying to access OWASP ZAP in a Docker container, and I can't find a way to do it.

I have a cloud Linux server where I'm trying the following command

docker run -p 8090:8090 -i softwaresecurityproject/zap-stable zap.sh -daemon -port 8090 -host 0.0.0.0

You can see more in the following link

https://www.zaproxy.org/docs/docker/about/#accessing-the-api-from-outside-of-the-docker-container 

So, the service is running, but I can't access the API. I'm trying some request on postman like

• https://ip-server:8090/JSON/ascan/view/status/
  • http://ip-server:8090/JSON/ascan/view/status/
• https://ip-server:8080/JSON/ascan/view/status/
  • http://ip-server:8080/JSON/ascan/view/status/
• https://ip-server:8080/zap/JSON/ascan/view/status/
  • http://ip-server:8080/zap/JSON/ascan/view/status/
• And so...

Anyone can help me with this?

[thc...@gmail.com]

Hi.

There are several reasons why the ZAP API would not be accessible, e.g.:

- No API key provided:
https://www.zaproxy.org/faq/why-is-an-api-key-required-by-default/
- Client address not allowed:
https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/
- The `ip-server` is not known to ZAP:
https://www.zaproxy.org/docs/desktop/addons/network/options/localservers/#aliases


Best regards.

On 01/10/2023 02:02, Luis Matos wrote:
> Hi guys,
>
> I'm trying to access OWASP ZAP in a Docker container, and I can't find a
> way to do it.
>
> I have a cloud Linux server where I'm trying the following command
>
> docker run -p 8090:8090 -i softwaresecurityproject/zap-stable zap.sh
> -daemon -port 8090 -host 0.0.0.0
>
> You can see more in the following link
> https://www.zaproxy.org/docs/docker/about/#accessing-the-api-from-outside-of-the-docker-container
> <https://www.zaproxy.org/docs/docker/about/#accessing-the-api-from-outside-of-the-docker-container>
>
> So, the service is running, but I can't access the API. I'm trying some
> request on postman like
>

> - https://ip-server:8090/JSON/ascan/view/status/
> - http://ip-server:8090/JSON/ascan/view/status/
> - https://ip-server:8080/JSON/ascan/view/status/
> - http://ip-server:8080/JSON/ascan/view/status/
> - https://ip-server:8080/zap/JSON/ascan/view/status/
> - http://ip-server:8080/zap/JSON/ascan/view/status/
> - And so...

[Luis Matos]

Hi thc202,

Thanks for your response, I appreciate it. 

Let me give you more information about this topic.

I'm running this command to test the API in a cloud Linux server.

docker run --name zap_api -u zap -p 8080:8080 -d ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.key=123456789

And I can't access the service thought the public IP. Even in the host server I can't access the service, but if I look inside the container, the container works.

Here the test results

• Outside the server (❌): 
  • http://public-ip-server:8080 
• In the host the server (❌): 
  • curl http://container-ip:8080
  • curl http://localhost:8080
    
• Inside the container: 
  • curl http://container-ip:8080 (❌ Connection refused)
  • curl http://localhost:8080 (✅ ZAP API UI)

This is the error message

537583 [ZAP-IO-Server-1-1738] WARN  org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler - Failed to read https://XXXXXX:8080/JSON/ascan/action/scan/?apikey=123456789&url=https://hackstore.re&recurse=false within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

I have read so many docs threads, just to mention some

• Failed to read https://xxx.xxx.xxx/ within 20 seconds · Issue #6693 · zaproxy/zaproxy (github.com)
  • ZAP does not know that the address is itself, you should proxy through that address and use the zap domain. (Or rewrite the requests to match what the host/port ZAP was set to listen to.)
  • With curl proxy through that address instead of requesting it, then use zap domain e.g. http://zap/ and you should be able to access the API.
• Mapping to different host port not working with Docker container · Issue #3796 · zaproxy/zaproxy (github.com)
• ZAP API Ability to specify domains/addresses that API will be served from · Issue #3594 · zaproxy/zaproxy (github.com)
  • The current workaround for this is to expose the container directly through an external IP via a Service in Kubernetes i.e. skipping the HAProxy altogether. See discussion at https://groups.google.com/forum/#!msg/zaproxy-users/YSz5nFDVqZI/_FHBNttaAwAJ
  • If you proxy through ZAP's public address you can access the API using http://zap/, the same way you can do locally (most of the API clients should be already proxying and using the zap domain).
  • You need to rewrite the request to match the zap domain (that should work).

Even though the comments mention what need to be done, I don't really know how I can achieve this.

Related issue

Timeout error running zap api in cloud. (google.com)

What I'm trying is to access the API in a docker container in Linux server but outside the host server, aka the public IP. You mention that this feature is available here (https://github.com/zaproxy/zaproxy/issues/3594#issuecomment-1034065992) but I can get it working.

I appreciate it if you can help me with this thc202, thanks in advance.

Regards,

[Luis Matos]

Also, I want to mention, that locally (in my local PC), everything works as expected*

[Luis Matos]

Update 🚨

I'm running this command now

docker run --name zap_api -u zap -p 8080:8080 -d ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.*
-config api.addrs.addr.regex=true -config api.key=123456789

and now I can access the service in the host.

• Outside the server (❌): 

• • http://public-ip-server:8080 
  • Failed to read http://XXXXX:8080/ within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.
    

• In the host the server (✅): 

• • curl http://localhost:8080
    

[thc...@gmail.com]

See:
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/


Once you add the public address as alias you should be able to access it.

Best regards.

On 02/10/2023 01:47, Luis Matos wrote:
> Update 🚨
>
> I'm running this command now
>

> *docker run --name zap_api -u zap -p 8080:8080 -d

> ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon -host 0.0.0.0 -port 8080
> -config api.addrs.addr.name=.*-config api.addrs.addr.regex=true -config

> api.key=123456789*

>
> and now I can access the service in the host.
>

> - Outside the server (❌):
> - http://public-ip-server:8080
> - Failed to read http://XXXXX:8080/ within 20 seconds, check to see

> if the site is available and if so consider adjusting ZAP's read time out
> in the Connection options panel.

> - In the host the server (✅):
> - curl http://localhost:8080

>
> El domingo, 1 de octubre de 2023 a las 19:33:10 UTC-4, Luis Matos escribió:
>
>> Also, I want to mention, that locally (in my local PC), everything works
>> as expected*
>>
>> El domingo, 1 de octubre de 2023 a las 19:27:48 UTC-4, Luis Matos escribió:
>>

>>> Hi *thc202*,

>>>
>>> Thanks for your response, I appreciate it.
>>>
>>> Let me give you more information about this topic.
>>>
>>> I'm running this command to test the API in a cloud Linux server.
>>>

>>> *docker run --name zap_api -u zap -p 8080:8080 -d
>>> ghcr.io/zaproxy/zaproxy:stable <http://ghcr.io/zaproxy/zaproxy:stable>
>>> zap.sh -daemon -config api.addrs.addr.name <http://api.addrs.addr.name>=.*
>>> -config api.addrs.addr.regex=true -config api.key=123456789*

>>> And I can't access the service thought the public IP. Even in the host
>>> server I can't access the service, but if I look inside the container, the
>>> container works.
>>>
>>> Here the test results
>>>

>>> - Outside the server (❌):
>>> - http://public-ip-server:8080
>>> - In the host the server (❌):
>>> - curl http://container-ip:8080
>>> - curl http://localhost:8080
>>> - Inside the container:
>>> - curl http://container-ip:8080 (❌ Connection refused)
>>> - curl http://localhost:8080 (✅ ZAP API UI)

>>>
>>> This is the error message
>>>
>>>

>>> *537583 [ZAP-IO-Server-1-1738] WARN

>>> org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler
>>> - Failed to read
>>> https://XXXXXX:8080/JSON/ascan/action/scan/?apikey=123456789&url=https://hackstore.re&recurse=false
>>> <https://XXXXXX:8080/JSON/ascan/action/scan/?apikey=123456789&url=https://hackstore.re&recurse=false>
>>> within 20 seconds, check to see if the site is available and if so consider

>>> adjusting ZAP's read time out in the Connection options panel.*

>>>
>>> I have read so many docs threads, just to mention some
>>>
>>>

>>> - Failed to read https://xxx.xxx.xxx/ within 20 seconds · Issue #6693
>>> · zaproxy/zaproxy (github.com)
>>> <https://github.com/zaproxy/zaproxy/issues/6693>
>>> - ZAP does not know that the address is itself, you should proxy

>>> through that address and use the zap domain. (Or rewrite the
>>> requests to match what the host/port ZAP was set to listen to.)

>>> - With curl proxy through that address instead of requesting it,

>>> then use zap domain e.g. http://zap/ and you should be able to
>>> access the API.

>>> - Mapping to different host port not working with Docker container ·
>>> Issue #3796 · zaproxy/zaproxy (github.com)
>>> <https://github.com/zaproxy/zaproxy/issues/3796>
>>> - ZAP API Ability to specify domains/addresses that API will be

>>> served from · Issue #3594 · zaproxy/zaproxy (github.com)

>>> <https://github.com/zaproxy/zaproxy/issues/3594>
>>> - The current workaround for this is to expose the container

>>> directly through an external IP via a Service in Kubernetes i.e. skipping
>>> the HAProxy altogether. See discussion at
>>> https://groups.google.com/forum/#!msg/zaproxy-users/YSz5nFDVqZI/_FHBNttaAwAJ

>>> - If you proxy through ZAP's public address you can access the API

>>> using http://zap/, the same way you can do locally (most of the
>>> API clients should be already proxying and using the zap domain).

>>> - You need to rewrite the request to match the zap domain (that

>>> should work).
>>>
>>>
>>> Even though the comments mention what need to be done, I don't really
>>> know how I can achieve this.
>>>
>>> Related issue
>>> Timeout error running zap api in cloud. (google.com)

>>> <https://groups.google.com/g/zaproxy-users/c/4LLrEvS72e0>

>>>
>>> What I'm trying is to access the API in a docker container in Linux
>>> server but outside the host server, aka the public IP. You mention that
>>> this feature is available here (
>>> https://github.com/zaproxy/zaproxy/issues/3594#issuecomment-1034065992)
>>> but I can get it working.
>>>

>>> I appreciate it if you can help me with this *thc202*, thanks in advance.

[Luis Matos]

Thanks so much thc202 for your quick responses.

Unfortunately, even though I understand the resource you shared, it's not clear to me how to add the alias. Can you give me an example of how to add the alias?

Thanks in advance! 👍

[thc...@gmail.com]

They can be added under:
Options > Network > Local Servers/Proxies > Aliases

Best regards.

[Luis Matos]

Is that a GUI breadcrumb?

I'm using the headless image. 

See
https://www.zaproxy.org/docs/docker/about/#zap-headless

[thc...@gmail.com]

Yes, to know the config key you would use the GUI.

For the record, e.g.:
-config network.localServers.aliases.alias.name=MyPublicIpAddress

Best regards.

[Luis Matos]

Thanks so much thc202!!!

You're the best! It works like a charm.

Just a final question related to this topic: Using the webswing support, I couldn't reach the API. It's because of the same issue? Or am I missing another configuration?