ZAP docker AJAX problem

[shoos...@klipfolio.com]

Hi,

I am trying to scan our app using ZAP API. When I use my ZAP locally the AJAX spider step works fine (with firefox).

However, when I use ZAP docker (pulled using docker pull owasp/zap2docker-stable) I get the a `Received shutdown notice. Reason is Exausted` error.

1552406318449   geckodriver     INFO    geckodriver 0.19.1
1552406318461   geckodriver     INFO    Listening on 127.0.0.1:2129
1552406318944   mozrunner::runner       INFO    Running command: "/usr/lib/firefox/firefox" "-marionette" "-profile" "/tmp/rust_mozprofile.BreCNToQSSdR"
1552406321197   Marionette      INFO    Enabled via --marionette
1552406325196   Marionette      INFO    Listening on port 38673
1552406325234   Marionette      WARN    TLS certificate errors will be ignored for this session
1552406325424   Marionette      DEBUG   Register listener.js for window 2147483649
117136 [Forwarding newSession on session null to remote] INFO org.openqa.selenium.remote.ProtocolHandshake  - Detected dialect: W3C
1552406325617   Marionette      DEBUG   Received DOM event "beforeunload" for "about:blank"
117663 [ZAP-ProxyThread-30] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
117900 [ZAP-ProxyThread-30] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
1552406326562   Marionette      DEBUG   Received DOM event "pagehide" for "about:blank"
1552406326562   Marionette      DEBUG   Received DOM event "unload" for "about:blank"
118927 [ZAP-ProxyThread-34] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
1552406329198   Marionette      DEBUG   Received DOM event "DOMContentLoaded" for "https://dev-25-kb.kfdev.ca:6443/trends/metric"
120870 [ZAP-ProxyThread-34] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
121278 [ZAP-ProxyThread-38] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
121499 [ZAP-ProxyThread-34] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
1552406330127   Marionette      DEBUG   Received DOM event "pageshow" for "https://dev-25-kb.kfdev.ca:6443/trends/metric"
122123 [ZAP-ProxyThread-43] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
122335 [ZAP-ProxyThread-42] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
122743 [ZAP-ProxyThread-47] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
122925 [ZAP-ProxyThread-48] INFO org.zaproxy.zap.users.User  - Authenticating user: admin
123306 [ZAP-AjaxSpiderApi] INFO com.crawljax.core.CrawlController  - Received shutdown notice. Reason is Exausted
123511 [ZAP-AjaxSpiderApi] INFO com.crawljax.core.CrawlController  - Shutdown process complete

Can anyone please help me.

Thanks.

[hauschu...@gmail.com]

I'm not a docker user much, but it looks like the spider is repeatedly trying to login and not getting anywhere (since it's hitting the same URL). 

Is it possible that the authentication and force user setup on your docker image needs to be set to match your local UI version?

[shoos...@klipfolio.com]

I use ZAP's API to set this:

api.forcedUser.setForcedUserModeEnabled(true);
api.forcedUser.setForcedUser(contextId, userId);

 I use the same settings for both docker and local (I just change the port, when I run against my local I sue local port, when I run against docker container I use it's container)

[hauschu...@gmail.com]

What do the logs for the application being tested say? What kind of traffic are they seeing? Is there record of a successful login?

It looks like you have forced user enabled properly, but if the credentials are wrong, not being received, or the logged in/logged out indicators not set properly, then it would still get stuck on a login page and quit pretty quickly. 

side note: since this is public internet, I do recommend trying to sanitize the URLs you are testing, especially if they are dev environments or otherwise not public :)

[shoos...@klipfolio.com]

Thanks for your suggestions.

I think there is a login problem then. It should be how the docker container accesses the target server. Because all the settings are working when I run using a local ZAP.

Sure, I should have removed our URLs