ZAP running as a daemon not able to store the traffic proxied through

[Anshuman Bhartiya]

Hello,

I am running 2 Docker containers - my web app and owasp/zap2docker.

If I simply run ZAP through the web app without actually doing any browsing or sending any tests, ZAP only finds things like header issues which are not that useful to me.

I have a testsuite that I run against my web app and I want that testsuite to proxy through ZAP so that when it finishes, ZAP will have some meaningful data to scan with.

This works fine when I start my web app as a docker container and ZAP by manually starting the ZAP process (not as a daemon). I can see the traffic just fine. And, I can run the scan after that. But, I have to do all this manually.

I want to automate this process so that I can start the ZAP as a daemon in a docker container and my web app as another docker container, run the testsuite against my web app by proxying it through the ZAP daemon. When the test suite finishes, I then want to run my ZAP daemon script to scan against the web app with all the traffic data.

Is this possible?

Can ZAP daemon be made to proxy requests to use it later to scan the target?

[Simon Bennetts]

The ZAP daemon is really just like the ZAP desktop app, except without the UI ;)
So all requests proxied through ZAP are saved in the session.
You can either keep the ZAP daemon running while you proxy requests through it, and then spider and scan the app, or if for some reason you need to restart the daemon then make sure you persist the first session and then open it when you restart the ZAP daemon.

Does that help?

Cheers,

Simon

[Anshuman Bhartiya]

Yes, that definitely helps however I think I am having some difficulties getting this working.

Here is my setup:

I have owasp/zap2docker-stable running as a Docker container and it looks like this:

owasp/zap2docker-stable               "zap.sh -daemon -por   0.0.0.0:8090->8090/tcp 

I can do a curl 127.0.0.1:8090 and I can successfully retrieve the "Welcome to the OWASP Zed Attack Proxy (ZAP)...." page.

Next, I have my web app running as a Docker container as well and it looks like this:

test      "/bin/sh -c 'nginx &        443/tcp, 4443/tcp, 127.0.0.1:8483->80/tcp   thirsty_wozniak 

I can do a curl 127.0.0.1:8483 and I can successfully retrieve my web app homepage as well.

So far so good.

Next, I setup the following environment variables to be able to proxy the requests via ZAP running as a daemon:

export http_proxy=http://127.0.0.1:8090/

export https_proxy=http://127.0.0.1:8090/

I issue the curl commands again:

curl 127.0.0.1:8090 works fine

but 

curl 127.0.0.1:8483 fails with the following error:

ZAP Error [java.net.ConnectException]: Connection refused

So, basically I can't connect to my web app anymore if I proxy the requests via the ZAP daemon. 

Now, I tried running the ZAP UI manually at 127.0.0.1:8080.

I then setup both the http_proxy and https_proxy to http://127.0.0.1:8080/

and did the curl command 127.0.0.1:8483 and it works just fine.

I can even see that request in the ZAP UI.

So, the question is why isn't it connecting to my app when I run ZAP as a daemon?

[Anshuman Bhartiya]

And, the way I am starting the ZAP daemon is as follows:

docker run -p 8090:8090 -id owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0

And, the way I am running the ZAP UI is simply by clicking on the owasp-zap item in Kali Linux under Applications. 

Is there something else I need to do while starting the ZAP daemon in the above command? 

[kingthorin+owaspzap]

Is it only a single line error you get?

ZAP Error [java.net.ConnectException]: Connection refused

Or does it go on to complain about SSL?

[Anshuman Bhartiya]

just that one line error..

I think I might have figured out what's going on..Can you please let me know if I'm thinking this straight or not..

so since ZAP is started as a daemon inside a docker container, it only has 2 IP's once you log into that container..127.0.0.1 and the Docker IP which is something like 172.17.0.18 and is only accessible to other Docker containers. 

So, obviously if I try to proxy requests to 127.0.0.1:8483 from that ZAP daemon, it will not work because there is nothing running inside that docker container on port 8483. The web app is running outside that docker container on port 8483 of the localhost.

So, I would have to do some networking-fu so that when I am proxying the requests via the ZAP daemon, it knows how to talk to my web app outside its docker container on port 8483. 

[kingthorin+owaspzap]

I haven't futzed with docker at all ever really. But the way you've described it does seem reasonable and logical to me.

[Anshuman Bhartiya]

I got this working..If anyone is interested, I am happy to share the details..

But, I am having other issues with the scanning in general..

I have seen that ZAP's active scanning is very inconsistent.

With all the proxied test case traffic, the scan sometimes is just stuck at 0%. Sometimes, it is stuck at 80%

and the results vary by a lot.

Is this expected? What is the best way to do an active scan to get some meaningful consistent results?

Right now, I am using the standard "zap.ascan.scan(target)" command..

[Simon Bennetts]

No, thats not expected :(
Are there any errors in the zap.log file?
https://github.com/zaproxy/zaproxy/wiki/FAQhelp

Cheers,

Simon

[Anshuman Bhartiya]

So, maybe I was wrong..The scans did finish albeit it took a while which is understandable since there was a lot of traffic that got generated as a result of running my test cases..

Having said that, the scan results were not 100% similar on each run (which again I was not hoping for). It did report similar types of vulnerabilities but the count was slightly different on each run..I guess I can live with that..

The other question I had and maybe this is something you can help me with:

So, I am starting a web app in a Docker container (DVWA for testing purposes) and then the ZAP daemon inside another Docker container..

I am then running ZAP's active scan against the URL of DVWA which is nothing but http://127.0.0.1/ because I am starting DVWA on port 80 and ZAP daemon on port 8090.

I am just trying to do an unauthenticated scan for the time being.

What I am constantly observing is that the spider runs, completes, scan runs and completes and doesn't report a single vulnerability..They have the robots.txt file enabled and I was hoping to see at least that in the scan results but that doesn't get reported.

So my question is - Is running an active scan against an application (without actually navigating to it or browsing through it) even worthwhile without actually manually browsing through it and feeding the ZAP daemon some traffic..I don't think the spidering is working the way one would expect it to be? Am I missing something or doing something wrong?

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/T_JDlOa8j1A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.