Cannot get ZAP with WebSwing to work properly
163 views
Skip to first unread message
jluc.ba...@free.fr
Jul 15, 2022, 11:13:13 AM7/15/22
to OWASP ZAP User Group
Hi,
I have a bash script that:
1) Starts my App in a docker container
2) Starts ZAP as follows :
docker run --user zap --detach --name proxy-prima-lh-924 --network net-prima-lh-924 --hostname proxy-prima-lh-924 -e 'ZAP_WEBSWING_OPTS=-newsession session -addonupdate -config connection.timeoutInSecs=120 -config api.disablekey=true -config pscans.scanOnlyInScope=true -config database.request.bodysize=20000000 -config database.response.bodysize=20000000 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -host 0.0.0.0 -port 8090 -dir /zap/wrk/' --volume /home/jluc/dev/dast/dast-framework/3.1/zap_wrk:/zap/wrk/:rw --publish 192.168.0.22::8090 --publish 192.168.0.22::8080 -i owasp/zap2docker-stable zap-webswing.sh
The script pauses.
I open a browser on http://192.168.0.22:49294/zap/ and wait for ZAP to be fully started.
I press a key to resume the script.
3) Imports the context into ZAP using a python script, which works fine (I can see it on the WebSwing interface)
4) Runs selenium tests from a docker container as follows:
docker exec selenium-prima-lh-924 mvn test -Dtomcat.host=10.0.0.3 -Dtomcat.port=8080 -Dproxy.host=10.0.0.5 -Dproxy.port=8090 ...
"-Dproxy.host=10.0.0.5 -Dproxy.port=8090" is where ZAP is listening inside the ZAP container, which is used to proxify firefox inside the selenium container
"-Dtomcat.host=10.0.0.3 -Dtomcat.port=8080" is the target App, which matches the context <incregexes>: http://10.0.0.3:8080.*
But Firefox is not able to reach the App and there is nothing in the ZAP History:
Reached error page: about:neterror?e=nssFailure2&u=https://10.0.0.3:8080/SnAssurance/index.jsp
On the other hand, everything works properly when ZAP is started without WebSwing and I execute the same exact "docker exec selenium" command.
Here is the full piece of code I use to start ZAP:
if [ $show_proxy = true ]; then
docker run --user zap --detach --name $proxy_name --network $net_name --hostname $proxy_name \
-e ZAP_WEBSWING_OPTS="-newsession session -addonupdate -config connection.timeoutInSecs=120 -config api.disablekey=true -config pscans.scanOnlyInScope=true -config database.request.bodysize=20000000 -config database.response.bodysize=20000000 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -host 0.0.0.0 -port $proxy_listen_port -dir /zap/wrk/" \
--volume "$zap_wrk_path":/zap/wrk/:rw --publish $proxy_host::$proxy_listen_port --publish $proxy_host::$proxy_debug_port -i $proxy_image \
zap-webswing.sh
# Retrieve dynamic ports on the host where container ports have been mapped
retrieve_port_mapping proxy
# Wait for ZAP Web app to be started by user
read -n 1 -s -r -p "Open a browser on http://$proxy_host:${props[proxy.host_debug_port]}/zap, wait for ZAP to fully start and press any key to continue."
info 'Resuming...'
else
docker run --user zap --detach --name $proxy_name --network $net_name --hostname $proxy_name \
--volume "$zap_wrk_path":/zap/wrk/:rw --publish $proxy_host::$proxy_listen_port $proxy_image \
zap.sh -daemon -dir /zap/wrk/ \
-config connection.timeoutInSecs=120 \
-config api.disablekey=true \
-config pscans.scanOnlyInScope=true \
-config database.request.bodysize=20000000 \
-config database.response.bodysize=20000000 \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true \
-host 0.0.0.0 -port $proxy_listen_port
fi
Any help
Thank you
I have a bash script that:
1) Starts my App in a docker container
2) Starts ZAP as follows :
docker run --user zap --detach --name proxy-prima-lh-924 --network net-prima-lh-924 --hostname proxy-prima-lh-924 -e 'ZAP_WEBSWING_OPTS=-newsession session -addonupdate -config connection.timeoutInSecs=120 -config api.disablekey=true -config pscans.scanOnlyInScope=true -config database.request.bodysize=20000000 -config database.response.bodysize=20000000 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -host 0.0.0.0 -port 8090 -dir /zap/wrk/' --volume /home/jluc/dev/dast/dast-framework/3.1/zap_wrk:/zap/wrk/:rw --publish 192.168.0.22::8090 --publish 192.168.0.22::8080 -i owasp/zap2docker-stable zap-webswing.sh
The script pauses.
I open a browser on http://192.168.0.22:49294/zap/ and wait for ZAP to be fully started.
I press a key to resume the script.
3) Imports the context into ZAP using a python script, which works fine (I can see it on the WebSwing interface)
4) Runs selenium tests from a docker container as follows:
docker exec selenium-prima-lh-924 mvn test -Dtomcat.host=10.0.0.3 -Dtomcat.port=8080 -Dproxy.host=10.0.0.5 -Dproxy.port=8090 ...
"-Dproxy.host=10.0.0.5 -Dproxy.port=8090" is where ZAP is listening inside the ZAP container, which is used to proxify firefox inside the selenium container
"-Dtomcat.host=10.0.0.3 -Dtomcat.port=8080" is the target App, which matches the context <incregexes>: http://10.0.0.3:8080.*
But Firefox is not able to reach the App and there is nothing in the ZAP History:
Reached error page: about:neterror?e=nssFailure2&u=https://10.0.0.3:8080/SnAssurance/index.jsp
On the other hand, everything works properly when ZAP is started without WebSwing and I execute the same exact "docker exec selenium" command.
Here is the full piece of code I use to start ZAP:
if [ $show_proxy = true ]; then
docker run --user zap --detach --name $proxy_name --network $net_name --hostname $proxy_name \
-e ZAP_WEBSWING_OPTS="-newsession session -addonupdate -config connection.timeoutInSecs=120 -config api.disablekey=true -config pscans.scanOnlyInScope=true -config database.request.bodysize=20000000 -config database.response.bodysize=20000000 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -host 0.0.0.0 -port $proxy_listen_port -dir /zap/wrk/" \
--volume "$zap_wrk_path":/zap/wrk/:rw --publish $proxy_host::$proxy_listen_port --publish $proxy_host::$proxy_debug_port -i $proxy_image \
zap-webswing.sh
# Retrieve dynamic ports on the host where container ports have been mapped
retrieve_port_mapping proxy
# Wait for ZAP Web app to be started by user
read -n 1 -s -r -p "Open a browser on http://$proxy_host:${props[proxy.host_debug_port]}/zap, wait for ZAP to fully start and press any key to continue."
info 'Resuming...'
else
docker run --user zap --detach --name $proxy_name --network $net_name --hostname $proxy_name \
--volume "$zap_wrk_path":/zap/wrk/:rw --publish $proxy_host::$proxy_listen_port $proxy_image \
zap.sh -daemon -dir /zap/wrk/ \
-config connection.timeoutInSecs=120 \
-config api.disablekey=true \
-config pscans.scanOnlyInScope=true \
-config database.request.bodysize=20000000 \
-config database.response.bodysize=20000000 \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true \
-host 0.0.0.0 -port $proxy_listen_port
fi
Any help
Thank you
Reply all
Reply to author
Forward
0 new messages