ZAP-CLI Authentication issue
Ayushree Ayushree
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[Thread-489] FATAL ENGINE - /home/ec2-user/.ZAP/session/untitled1.data getFromFile failed 672584
org.hsqldb.HsqlException: IO error: RowInputBinary
Simon Bennetts
Ayushree Ayushree
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/cd48c15a-5ac9-409e-a0b6-e2e1d24bb61cn%40googlegroups.com.
Simon Bennetts
Ayushree Ayushree
- Creating the context through ZAP GUI and exporting it as well as all the identified URLs.
- Linking the ZAP API key with the ZAP-CLI command-line tool. ( command: export ZAP_API_KEY=<your API key>).
- Import the context.
- Run the active scan against the domain (command:
zap-cli -v active-scan --recursive -c Context_name -u user_name "https://x.x.com/"
Following is the context that I'm importing to the ZAP-CLI:
<configuration>
<context>
<name>Context_1</name>
<desc/>
<inscope>true</inscope>
#<incregexes>https://holvi.com/api/auth-proxy/login/usernamepassword/.*</incregexes>
<incregexes>https://login.app.holvi.com/</incregexes>
<tech>
<include>Db</include>
<include>Db.CouchDB</include>
<include>Db.Firebird</include>
<include>Db.HypersonicSQL</include>
<include>Db.IBM DB2</include>
<include>Db.Microsoft Access</include>
<include>Db.Microsoft SQL Server</include>
<include>Db.MongoDB</include>
<include>Db.MySQL</include>
<include>Db.Oracle</include>
<include>Db.PostgreSQL</include>
<include>Db.SAP MaxDB</include>
<include>Db.SQLite</include>
<include>Db.Sybase</include>
<include>Language</include>
<include>Language.ASP</include>
<include>Language.C</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.Java.Spring</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>Language.Python</include>
<include>Language.Ruby</include>
<include>Language.XML</include>
<include>OS</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>OS.Windows</include>
<include>SCM</include>
<include>SCM.Git</include>
<include>SCM.SVN</include>
<include>WS</include>
<include>WS.Apache</include>
<include>WS.IIS</include>
<include>WS.Tomcat</include>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>5</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>\Qid_token\E</loggedin>
<form>
<loginurl>https://holvi.com/api/auth-proxy/login/usernamepassword/</loginurl>
<loginbody>{"client_id":"yIO3banxfsiuQSMrVg7x2LoKAqYKazRV","fingerprint":"a40e2d5ceaf216f9b58853fadb768446","fingerprint_components":"{\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\",\"language\":\"en-GB\",\"colorDepth\":24,\"deviceMemory\":8,\"pixelRatio\":1,\"hardwareConcurrency\":8,\"screenResolution\":\"1920;1080\",\"availableScreenResolution\":\"1920;1055\",\"timezoneOffset\":-180,\"timezone\":\"Europe/Helsinki\",\"sessionStorage\":1,\"localStorage\":1,\"indexedDb\":1,\"openDatabase\":1,\"cpuClass\":\"unknown\",\"platform\":\"MacIntel\",\"doNotTrack\":\"unknown\",\"plugins\":[\"PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"Chrome PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"Chromium PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"WebKit built-in PDF::Portable Document Format::application/pdf~pdf,text/pdf~pdf\"],\"webglVendorAndRenderer\":\"Google Inc. (Intel Inc.)~ANGLE (Intel Inc., Intel(R) Iris(TM) Plus Graphics 655, OpenGL 4.1)\",\"touchSupport\":\"0;false;false\",\"fonts\":\"Andale Mono;Arial;Arial Black;Arial Hebrew;Arial Narrow;Arial Rounded MT Bold;Arial Unicode MS;Comic Sans MS;Courier;Courier New;Geneva;Georgia;Helvetica;Helvetica Neue;Impact;LUCIDA GRANDE;Microsoft Sans Serif;Monaco;Palatino;Tahoma;Times;Times New Roman;Trebuchet MS;Verdana;Wingdings;Wingdings 2;Wingdings 3\",\"fontsFlash\":\"swf object not loaded\",\"audio\":\"124.04347657808103\",\"enumerateDevices\":\"id=;gid=3007fd31cff100a1d168ffd653caa925ea22600897ae852c2fa354da553637f3;audioinput;;id=;gid=a6d9bd323e3f57a4c5196c1bebae0671b520cf8dc9d20be0a91efb549db66c07;videoinput;;id=;gid=3007fd31cff100a1d168ffd653caa925ea22600897ae852c2fa354da553637f3;audiooutput;\"}","connection":"Username-Password-Authentication","email":"{%username%}","password":"{%password%}","grant_type":"password"}</loginbody>
<loginpageurl>https://login.app.holvi.com</loginpageurl>
</form>
</authentication>
<users>
<user>395;true;YXl1;5;YXl1c2hyZWVAaG9sdmkuY29t~SG9sdmkhIV8yMDIy~</user>
</users>
<forceduser>395</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
The error details are as follows:
2022-06-22 07:05:20,269 [Thread-510] FATAL ENGINE - /home/ec2-user/.ZAP/session/untitled1.data getFromFile failed 672584
org.hsqldb.HsqlException: IO error: RowInputBinary 672584
at org.hsqldb.error.Error.error(Unknown Source) ~[hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.rowio.RowInputBinary.readInt(Unknown Source) ~[hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.index.NodeAVLDisk.<init>(Unknown Source) ~[hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.RowAVLDisk.<init>(Unknown Source) ~[hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.persist.RowStoreAVLDisk.get(Unknown Source) ~[hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.persist.DataFileCache.getFromFile(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.persist.DataFileCache.get(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.persist.RowStoreAVLDisk.get(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.index.NodeAVLDisk.findNode(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.index.NodeAVLDisk.getLeft(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.index.IndexAVL.findNode(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.index.IndexAVL.findFirstRow(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.RangeVariable$RangeIteratorMain.getFirstRow(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.RangeVariable$RangeIteratorMain.initialiseIterator(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.RangeVariable$RangeIteratorMain.next(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.QuerySpecification.buildResult(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.QuerySpecification.getSingleResult(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.QuerySpecification.getResult(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.StatementQuery.getResult(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.StatementDMQL.execute(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.Session.executeCompiledStatement(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.Session.execute(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.hsqldb.jdbc.JDBCPreparedStatement.execute(Unknown Source) [hsqldb-2.5.2.jar:2.5.2]
at org.parosproxy.paros.db.paros.ParosTableHistory.read(ParosTableHistory.java:387) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.model.HistoryReference.<init>(HistoryReference.java:357) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.HostProcess.scanMessage(HostProcess.java:582) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.HostProcess.processPlugin(HostProcess.java:473) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.HostProcess.run(HostProcess.java:369) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.io.EOFException
at org.hsqldb.lib.HsqlByteArrayInputStream.readInt(Unknown Source) ~[hsqldb-2.5.2.jar:2.5.2]
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d0eb5f5d-fbc4-44a9-8a92-692c2affb7ddn%40googlegroups.com.
thc...@gmail.com
Are you running isolated scans? (i.e. not using a shared ZAP home.)
Best regards.
On 23/06/2022 08:13, 'Ayushree Ayushree' via OWASP ZAP User Group wrote:
> Hey Simon,
> The followed procedure for authentication scan is:
>
> the identified URLs.
> 2. Linking the ZAP API key with the ZAP-CLI command-line tool. (
> 4. Run the active scan against the domain (command:
> *NOTE: *
> helpful. https://groups.google.com/g/zaproxy-users/c/aH3D4dg8mUk
> Another source I've found is https://github.com/zaproxy/zaproxy/issues/4640
> and I tried changing the cache size of ZAP in 'zap-version/db/zapdb.script'
> but still was facing the same issue.
>
>>>> .
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "OWASP ZAP User Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to zaproxy-user...@googlegroups.com.
>> To view this discussion on the web visit
>> <https://groups.google.com/d/msgid/zaproxy-users/d0eb5f5d-fbc4-44a9-8a92-692c2affb7ddn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
Ayushree Ayushree
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a098aaf9-9622-8a96-365f-e8ce214839a0%40gmail.com.