Error while running ZAP API
1,185 views
Skip to first unread message
Nitin Sharma
May 17, 2018, 12:00:44 AM5/17/18
to OWASP ZAP User Group
Hello there,
I have installed ZAP 2.7.0 in Ubuntu machine inside Virtual Box. I have also made the arrangements for ZAP to work with firefox(FoxyProxy) in Ubuntu with IP 192.168.56.3 and port 8083 which is also working fine. I am able to get all the requests in ZAP GUI while surfing the browser. ZAP root Certificate and local proxy configuration is done appropriately.
I am facing issue of Proxy error while working with ZAP API in daemon mode with python script.The error shows proxy error as follows:
*******************************************************
Starting ZAP ...
Waiting for ZAP to load, 10 seconds ...
Accessing target https://hackyourselffirst.troyhunt.com/
Spidering target https://hackyourselffirst.troyhunt.com/
Traceback (most recent call last):
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 387, in _make_request
six.raise_from(e, None)
File "<string>", line 2, in raise_from
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 383, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.5/http/client.py", line 1197, in getresponse
response.begin()
File "/usr/lib/python3.5/http/client.py", line 297, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.5/http/client.py", line 266, in _read_status
raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/util/retry.py", line 388, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='192.168.56.3', port=8083): Max retries exceeded with url: http://zap/JSON/spider/action/scan/?apikey=&url=https%3A%2F%2Fhackyourselffirst.troyhunt.com%2F (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response',)))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/q/Desktop/zap.py", line 52, in <module>
zap.spider.scan(target)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/zapv2/spider.py", line 212, in scan
return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params)))
File "/root/secure_testing/s_w/lib/python3.5/site-packages/zapv2/__init__.py", line 159, in _request
data = self._request_api(url, get)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/zapv2/__init__.py", line 149, in _request_api
return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/sessions.py", line 521, in get
return self.request('GET', url, **kwargs)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/sessions.py", line 618, in send
r = adapter.send(request, **kwargs)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/adapters.py", line 502, in send
raise ProxyError(e, request=request)
requests.exceptions.ProxyError: HTTPConnectionPool(host='192.168.56.3', port=8083): Max retries exceeded with url: http://zap/JSON/spider/action/scan/?apikey=&url=https%3A%2F%2Fhackyourselffirst.troyhunt.com%2F (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response',)))
********************************************
And my script is:
################################
#!/usr/bin/env python
import time, subprocess, os
from pprint import pprint
from zapv2 import ZAPv2
print ('Starting ZAP ...')
subprocess.Popen(['/root/secure_testing/ZAP_2.7.0/zap.sh','-daemon', '-p', '8083'],stdout=open(os.devnull,'w'))
print ('Waiting for ZAP to load, 10 seconds ...')
time.sleep(10)
target = str('https://hackyourselffirst.troyhunt.com/')
# zap = ZAPv2(proxies={'http': 'http://192.168.56.3:8083', 'https': 'http://192.168.56.3:8083'}) # 1st
zap = ZAPv2() # 2nd
# Use the line below if ZAP is not listening on 8090
#zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
# do stuff
print ('Accessing target {}'.format(target))
# try have a unique enough session...
zap.urlopen(target)
# Give the sites tree a chance to get updated
time.sleep(2)
print ('Spidering target {}'.format(target))
zap.spider.scan(target)
##########################################
I don't understand what is the issue actually. please help.
I have installed ZAP 2.7.0 in Ubuntu machine inside Virtual Box. I have also made the arrangements for ZAP to work with firefox(FoxyProxy) in Ubuntu with IP 192.168.56.3 and port 8083 which is also working fine. I am able to get all the requests in ZAP GUI while surfing the browser. ZAP root Certificate and local proxy configuration is done appropriately.
I am facing issue of Proxy error while working with ZAP API in daemon mode with python script.The error shows proxy error as follows:
*******************************************************
Starting ZAP ...
Waiting for ZAP to load, 10 seconds ...
Accessing target https://hackyourselffirst.troyhunt.com/
Spidering target https://hackyourselffirst.troyhunt.com/
Traceback (most recent call last):
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 387, in _make_request
six.raise_from(e, None)
File "<string>", line 2, in raise_from
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 383, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.5/http/client.py", line 1197, in getresponse
response.begin()
File "/usr/lib/python3.5/http/client.py", line 297, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.5/http/client.py", line 266, in _read_status
raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/root/secure_testing/s_w/lib/python3.5/site-packages/urllib3/util/retry.py", line 388, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='192.168.56.3', port=8083): Max retries exceeded with url: http://zap/JSON/spider/action/scan/?apikey=&url=https%3A%2F%2Fhackyourselffirst.troyhunt.com%2F (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response',)))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/q/Desktop/zap.py", line 52, in <module>
zap.spider.scan(target)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/zapv2/spider.py", line 212, in scan
return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params)))
File "/root/secure_testing/s_w/lib/python3.5/site-packages/zapv2/__init__.py", line 159, in _request
data = self._request_api(url, get)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/zapv2/__init__.py", line 149, in _request_api
return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/sessions.py", line 521, in get
return self.request('GET', url, **kwargs)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/sessions.py", line 618, in send
r = adapter.send(request, **kwargs)
File "/root/secure_testing/s_w/lib/python3.5/site-packages/requests/adapters.py", line 502, in send
raise ProxyError(e, request=request)
requests.exceptions.ProxyError: HTTPConnectionPool(host='192.168.56.3', port=8083): Max retries exceeded with url: http://zap/JSON/spider/action/scan/?apikey=&url=https%3A%2F%2Fhackyourselffirst.troyhunt.com%2F (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response',)))
********************************************
And my script is:
################################
#!/usr/bin/env python
import time, subprocess, os
from pprint import pprint
from zapv2 import ZAPv2
print ('Starting ZAP ...')
subprocess.Popen(['/root/secure_testing/ZAP_2.7.0/zap.sh','-daemon', '-p', '8083'],stdout=open(os.devnull,'w'))
print ('Waiting for ZAP to load, 10 seconds ...')
time.sleep(10)
target = str('https://hackyourselffirst.troyhunt.com/')
# zap = ZAPv2(proxies={'http': 'http://192.168.56.3:8083', 'https': 'http://192.168.56.3:8083'}) # 1st
zap = ZAPv2() # 2nd
# Use the line below if ZAP is not listening on 8090
#zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
# do stuff
print ('Accessing target {}'.format(target))
# try have a unique enough session...
zap.urlopen(target)
# Give the sites tree a chance to get updated
time.sleep(2)
print ('Spidering target {}'.format(target))
zap.spider.scan(target)
##########################################
I don't understand what is the issue actually. please help.
thc...@gmail.com
May 17, 2018, 4:13:54 AM5/17/18
to zaprox...@googlegroups.com
Hi.
The API requests might be being ignored, for example, if the API key is
not being supplied or the address connecting to the API is not allowed.
[1][2]
Worth checking the zap.log file as it might have the reason why the API
requests are failing (if the cause is in ZAP). [3]
[1] https://github.com/zaproxy/zaproxy/wiki/FAQapikey
[2] https://github.com/zaproxy/zaproxy/wiki/FAQremote
[3] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
The API requests might be being ignored, for example, if the API key is
not being supplied or the address connecting to the API is not allowed.
[1][2]
Worth checking the zap.log file as it might have the reason why the API
requests are failing (if the cause is in ZAP). [3]
[1] https://github.com/zaproxy/zaproxy/wiki/FAQapikey
[2] https://github.com/zaproxy/zaproxy/wiki/FAQremote
[3] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
Nitin Sharma
May 17, 2018, 11:27:32 AM5/17/18
to OWASP ZAP User Group
@thc202
I have already disabled the api key from the GUI. However, considering your suggestions I have disabled the key in the program itself while starting the same in the daemon mode. Still I am facing the same issue. I have checked the log file at ~/.ZAP/zap.log which ends with the same error line as:
"
[ZAP-daemon] ERROR ProxyServer - Cannot listen on port 192.168.56.4:8085
"
My edited snippet has two lines changed from the above one:
1. subprocess.Popen(['/root/secure_testing/ZAP_2.7.0/zap.sh','-daemon', '-config', 'api.disablekey=true'],stdout=open(os.devnull,'w'))
2. target = str('http://192.168.56.5') # tried to access another server this time connected to same network
3.zap = ZAPv2(proxies={'http': 'http://192.168.56.4:8085', 'https': 'http://192.168.56.4:8085'})
# tried to change the port also, although ip got changed by dhcp
Still the FoxyProxy in browser in Ubuntu VM is working fine with ZAP UI, and ZAP API is not working.
I have already disabled the api key from the GUI. However, considering your suggestions I have disabled the key in the program itself while starting the same in the daemon mode. Still I am facing the same issue. I have checked the log file at ~/.ZAP/zap.log which ends with the same error line as:
"
[ZAP-daemon] ERROR ProxyServer - Cannot listen on port 192.168.56.4:8085
"
My edited snippet has two lines changed from the above one:
1. subprocess.Popen(['/root/secure_testing/ZAP_2.7.0/zap.sh','-daemon', '-config', 'api.disablekey=true'],stdout=open(os.devnull,'w'))
2. target = str('http://192.168.56.5') # tried to access another server this time connected to same network
3.zap = ZAPv2(proxies={'http': 'http://192.168.56.4:8085', 'https': 'http://192.168.56.4:8085'})
# tried to change the port also, although ip got changed by dhcp
Still the FoxyProxy in browser in Ubuntu VM is working fine with ZAP UI, and ZAP API is not working.
Simon Bennetts
May 17, 2018, 11:37:29 AM5/17/18
to OWASP ZAP User Group
OK, so thats telling you that ZAP cannot listen on the port specified.
You'll need to fix that before anything will be able to connect to it.
You'll need to fix that before anything will be able to connect to it.
Nitin Sharma
May 17, 2018, 12:33:06 PM5/17/18
to OWASP ZAP User Group
Alright, there might be a problem with the same. I have tried the ZAP UI to connect with the same port using same proxy. Is it like, we can't connect the ZAP API and ZAP UI with the same port. I am sure that at a time, I am running either ZAP UI or ZAP API. Could you please suggest a way to sort it out.
PS: I have attached the screenshots of my working environment with ZAP UI.
PS: I have attached the screenshots of my working environment with ZAP UI.
Steven Bracamonte
Jun 10, 2018, 12:41:48 PM6/10/18
to OWASP ZAP User Group
I had a simliar issue. It was the syntax in my apikey that was off. I also have read that the apikey is required so i would just set it up to be used since it's not that difficult
Here's my bash script:
#!/bin/bash cd /usr/share/zaproxy ./zap.sh -daemon -config api.key="123456" -port 8081 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
Then setup your python script the params:
from zapv2 import ZAPv2 #you need to first run OWASP from command line to then use this api with it(run bash script above)
api='123456'
zap = ZAPv2(apikey=api, proxies={'http': 'http://127.0.0.1:8081', 'https': 'http://127.0.0.1:8081'})
scanid = zap.spider.scan(target)
Hope that helps.
Thanks,
Steven
Venkata Subrahmanyam
Feb 26, 2020, 7:41:08 AM2/26/20
to OWASP ZAP User Group
Hello,
I am able to run this script perfectly. Thank you for this. But, when I hit https application, I get "maximum tries exceeded", it works in ZAP GUI with "Unsafe SSL renegotiation" enabled. How do I enable it via the command line since I need to run it as a daemon?
kingthorin+owaspzap
Feb 26, 2020, 4:42:33 PM2/26/20
to OWASP ZAP User Group
Set it via the API. You can browse the API infra by browsing to ZAP's proxy port while ZAP is running.
Reply all
Reply to author
Forward
0 new messages