ZAP baseline scan in k8 job
120 views
Skip to first unread message
Jin Yu
May 5, 2023, 5:59:05 AM5/5/23
to OWASP ZAP User Group
Hi team,
I am trying to run zap baseline scan against my website which is protected by cloudflare. I am aware that I can pass the auth token in the header via the var env (ZAP_AUTH_HEADER_VALUE, ZAP_AUTH_HEADER) .
Second attempt on setting the env on the container in my k8 job:
Here is how my job looks like:
Automation plan warnings:
Job spider error accessing URL https://staging.endow.us status code returned : 404 expected 200
Am I doing it wrong? Why the header is not picking up the env var?
Thanks,
Jin Yu
I am trying to run zap baseline scan against my website which is protected by cloudflare. I am aware that I can pass the auth token in the header via the var env (ZAP_AUTH_HEADER_VALUE, ZAP_AUTH_HEADER) .
To start I wanted to try out the scan on local before running it on k8, so my first attempt is to run it on local(Mac):
I did the same action like what he did here: https://github.com/zaproxy/zaproxy/issues/6751
1. I exported the env var from my terminal
2. I launched the UI in the same terminal using the following cmd /Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
3. I tried to run spider against the site, but the authorization header field is not showing in my request. Second attempt on setting the env on the container in my k8 job:Here is how my job looks like:
apiVersion: batch/v1
kind: Job
metadata:
name: zap-baseline
spec:
template:
metadata:
name: zap-baseline
spec:
serviceAccountName: owasp-zap
containers:
- name: zap-baseline
image: owasp/zap2docker-stable
env:
- name: ZAP_AUTH_HEADER
value: cf-access-token
- name: ZAP_AUTH_HEADER_VALUE
value: [redacted]
command:
- "/bin/sh"
- "-c"
- "/zap/zap-baseline.py -t https://mywebsite.com -J report.json -I"
volumeMounts:
- name: zap-volume
mountPath: /zap/wrk
restartPolicy: Never
volumes:
- name: zap-volume
emptyDir: {}
backoffLimit: 0
completions: 1
I am still getting the error below which I believe that is coming from the authentication error:Automation plan warnings:
Job spider error accessing URL https://staging.endow.us status code returned : 404 expected 200
Thanks,
Jin Yu
Simon Bennetts
May 5, 2023, 12:24:35 PM5/5/23
to OWASP ZAP User Group
Hiya Jin,
I dont know much about k8 so I can't advice you on the config.
But if its not working locally then thats something we can help with.
And to be honest its the more important problem - if it doesnt work locally then I dont see much chance of it working in k8.
We have some guidance for diagnosing docker issues here: https://www.zaproxy.org/docs/docker/diagnosing-problems/#investigating-non-trivial-issues
One thing that would be worth doing is to write a hook which prints out the env vars - its important to see how far they are getting.
But also use the LogMessages.js script to check exactly what is being sent.
Cheers,
Simon
Jin Yu
May 8, 2023, 12:04:14 AM5/8/23
to OWASP ZAP User Group
Hi Simon,
Thanks for getting back to me, could you advise how can I debug from the desktop? As I mentioned in the previous email, I tried to passed the env var to my desktop app, but it doesn't seems like getting passed to the request, is there a way that can I verify if the environment variable is passed properly to the application?
Thanks for getting back to me, could you advise how can I debug from the desktop? As I mentioned in the previous email, I tried to passed the env var to my desktop app, but it doesn't seems like getting passed to the request, is there a way that can I verify if the environment variable is passed properly to the application?
Thanks,
Jin Yu
Jin Yu
thc...@gmail.com
May 8, 2023, 2:12:54 AM5/8/23
to zaprox...@googlegroups.com
Run the following Stand Alone JavaScript script:
print(Java.type("java.lang.System").getenv("ZAP_AUTH_HEADER"))
https://www.zaproxy.org/docs/desktop/addons/script-console/
Best regards.
print(Java.type("java.lang.System").getenv("ZAP_AUTH_HEADER"))
https://www.zaproxy.org/docs/desktop/addons/script-console/
Best regards.
Reply all
Reply to author
Forward
0 new messages