ZAP Automation Framework hangs after job report is finished

[Cornel du Preez]

I'm leveraging the automation framework to do a simple scan on a Ubuntu 20.04 EC2 server.

The scan runs well and finishes - albeit too quickly to believe - but then it hangs at "Automation plan succeeded!" indefinitely from what I can tell. So, the only way to get it to quit is to kill the process with control + z. Which is not ideal...

Here's the stdout:

ubuntu@ip-172-31-0-158:~$ zap.sh -cmd -autorun ~/.ZAP/config.yaml

Found Java version 11.0.11

Available memory: 3928 MB

Using JVM args: -Xmx1964m

Job addOns set updateAddOns = true

Job passiveScan-config set maxAlertsPerRule = 10

Job passiveScan-config set scanOnlyInScope = true

Job spider set maxDuration = 30

Job spiderAjax set maxDuration = 30

Job activeScan set maxScanDurationInMins = 60

Job report set reportDir = /home/ubuntu/.ZAP/

Job addOns started

Job addOns finished

Job passiveScan-config started

Job passiveScan-config finished

Job graphql started

No GraphQL URL specified.

Job graphql finished

Job openapi started

Job openapi finished

Job soap started

Job soap finished

Job spider started

Job spider requesting URL http://zero.webappsecurity.com/

Job spider found 24 URLs

Job spider finished

Job spiderAjax started

WARNING: An illegal reflective access operation has occurred

WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/usr/local/zaproxy/./plugin/spiderAjax-release-23.6.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)

WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2

WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

WARNING: All illegal access operations will be denied in a future release

Job spiderAjax found 0 URLs

Job spiderAjax finished

Job passiveScan-wait started

Job passiveScan-wait finished

Job activeScan started

Job activeScan finished

Job report started

Job report generated report /home/ubuntu/.ZAP/2021-10-29-ZAP-Report-zero.webappsecurity.com.html

Job report finished

Automation plan succeeded!

And here's my config file:

ubuntu@ip-172-31-0-158:~$ cat .ZAP/config.yaml

---

env:                                   # The environment, mandatory

  contexts :                           # List of 1 or more contexts, mandatory

    - name: context 1                  # Name to be used to refer to this context in other jobs, mandatory

      urls: [http://zero.webappsecurity.com/]                           # A mandatory list of top level urls, everything under each url will be included

      includePaths:                    # An optional list of regexes to include

      excludePaths:                    # An optional list of regexes to exclude

      authentication:                  # TBA: In time to cover all auth configs

  vars:                                # List of 1 or more variables, can be used in urls and selected other parameters

  parameters:

    failOnError: true                  # If set exit on an error         

    failOnWarning: false               # If set exit on a warning

    progressToStdout: true             # If set will write job progress to stdout

jobs:

  - type: addOns                       # Add-on management

    parameters:

      updateAddOns: true               # Update any add-ons that have new versions

    install:                           # A list of non standard add-ons to install from the ZAP Marketplace

    uninstall:                         # A list of standard add-ons to uninstall

  - type: passiveScan-config           # Passive scan configuration

    parameters:

      maxAlertsPerRule: 10             # Int: Maximum number of alerts to raise per rule

      scanOnlyInScope: true            # Bool: Only scan URLs in scope (recommended)

      maxBodySizeInBytesToScan:        # Int: Maximum body size to scan, default: 0 - will scan all messages

  - type: graphql                      # GraphQL definition import

    parameters:

      endpoint:                        # String: the endpoint URL, default: null, no schema is imported

  - type: openapi                      # OpenAPI definition import

    parameters:

      apiFile:                         # String: Local file containing the OpenAPI definition, default: null, no definition will be imported

      apiUrl:                          # String: URL containing the OpenAPI definition, default: null, no definition will be imported

      targetUrl:                       # String: URL which overrides the target defined in the definition, default: null, the target will not be overriden

  - type: soap                         # SOAP WSDL import

    parameters:

      wsdlFile:                        # String: Local file path of the WSDL, default: null, no definition will be imported

      wsdlUrl:                         # String: URL pointing to the WSDL, default: null, no definition will be imported

  - type: spider                       # The traditional spider - fast but doesnt handle modern apps so well

    parameters:

      context:                         # String: Name of the context to spider, default: first context

      url:                             # String: Url to start spidering from, default: first context URL

      maxDuration: 30                    # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited

      maxDepth:                        # Int: The maximum tree depth to explore

      maxChildren:                     # Int: The maximum number of children to add to each node in the tree

  - type: spiderAjax                   # The ajax spider - slower than the standard spider but handles modern apps well

    parameters:

      context:                         # String: Name of the context to spider, default: first context

      url:                             # String: Url to start spidering from, default: first context URL

      maxDuration: 30                    # Int: The max time in minutes the ajax spider will be allowed to run for, default: 0 unlimited

      maxCrawlDepth:                   # Int: The max depth that the crawler can reach, default: 10, 0 is unlimited

      numberOfBrowsers:                # Int: The number of browsers the spider will use, more will be faster but will use up more memory, default: 1

  - type: passiveScan-wait             # Passive scan wait for the passive scanner to finish

    parameters:

      maxDuration:                   # Int: The max time to wait for the passive scanner, default: 0 unlimited

  - type: activeScan                   # The active scanner - this actively attacks the target so should only be used with permission

    parameters:

      context:                         # String: Name of the context to attack, default: first context

      policy:                          # String: Name of the scan policy to be used, default: Default Policy

      maxRuleDurationInMins:           # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited

      maxScanDurationInMins: 60          # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited

  - type: report                       # Report generation

    parameters:

      template:                        # String: The template id, default : modern

      theme:                           # String: The template theme, default: the first theme defined for the template (if any)

      reportDir: /home/ubuntu/.ZAP/                      # String: The directory into which the report will be written

      reportFile: 

      reportTitle:                     # String: The report title

      reportDescription:               # String: The report description

I installed Zap using the installer script for Linux here: https://github.com/zaproxy/zaproxy/releases/download/v2.11.0/ZAP_2_11_0_unix.sh

And here is my support info output:

ubuntu@ip-172-31-0-158:~$ zap.sh -suppinfo

Found Java version 11.0.11

Available memory: 3928 MB

Using JVM args: -Xmx1964m

OWASP ZAP

Version: 2.11.0

Installed Add-ons: [[id=alertFilters, version=13.0.0], [id=ascanrules, version=41.0.0], [id=automation, version=0.7.0], [id=bruteforce, version=11.0.0], [id=commonlib, version=1.5.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=11.0.0], [id=encoder, version=0.6.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.4.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.6.0], [id=help, version=12.0.0], [id=hud, version=0.13.0], [id=importurls, version=8.0.0], [id=invoke, version=11.0.0], [id=oast, version=0.5.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=23.0.0], [id=pscanrules, version=36.0.0], [id=quickstart, version=30.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.9.1], [id=retest, version=0.2.0], [id=retire, version=0.9.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=6.0.0], [id=savexmlmessage, version=0.2.0], [id=scripts, version=29.0.0], [id=selenium, version=15.4.0], [id=soap, version=11.0.0], [id=spiderAjax, version=23.6.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=33.0.0], [id=websocket, version=24.0.0], [id=zest, version=35.0.0]]

Operating System: Linux

Java Version: Ubuntu 11.0.11

System's Locale: en

Display Locale: en_GB

Format Locale: en_GB

ZAP Home Directory: /home/ubuntu/.ZAP/

ZAP Installation Directory: /usr/local/zaproxy/./

Look and Feel: Metal (javax.swing.plaf.metal.MetalLookAndFeel)

Any help would be greatly appreciated!

Thanks,

-Cornel.

[Cornel du Preez]

Ah, and attached is the zap.log.

[Simon Bennetts]

Hi Cornel,

That doesnt look right :(

Thanks for reporting it - I'll look into it asap.

Cheers,

Simon

[psiinon]

From the zap.log:

2021-10-29 21:47:26,713 [ZAP-AjaxSpiderAuto] WARN  SpiderThread - Failed to start browser firefox-headless
com.google.inject.ProvisionException: Guice provision errors:

1) Error in custom provider, org.openqa.selenium.WebDriverException: Cannot find firefox binary in PATH. Make sure firefox is installed. OS appears to be: LINUX
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'ip-172-31-0-158', ip: '172.31.0.158', os.name: 'Linux', os.arch: 'amd64', os.version: '5.11.0-1020-aws', java.version: '11.0.11'

So the Ajax Spider is failing as you dont seem to have Firefox installed, and thats the default browser it uses.

However the plan should fail in that case and not hang the process, so there could be a bug there. I'll look into that.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4b331ed1-af68-4364-9de9-8d2f60f1628en%40googlegroups.com.

--

OWASP ZAP Project leader

[Cornel du Preez]

Simon,

Thanks for the quick response! Not sure how I missed that Firefox wasn't installed, thanks for catching that. I've since installed Firefox and that fixed the hanging issue.

Kind regards,

-Cornel.