problem adding custom scripts to zap headless in docker

[jhpe...@gmail.com]

hello everyone

I'm trying to add some custom scripts to zap headless in docker. I have a small script that is responsible for consuming the resource of the zap api to add the scripts, I already tested the script locally and it works perfectly, I tested the consumption of the resource manually through postman and I also had success, but when trying to run the script in the container I always get a 400 code response with the message "Does Not Exist". There is some limitation or problem when loading custom scripts to a dockenized headless zap or the problem is mine. I've been dealing with this for 2 days and I can't understand why. 

Thank you very much

[Simon Bennetts]

By default processes running in Docker cannot access any files outside of Docker - this is a Docker restriction :)

You will need to map a local directory to Docker as per https://www.zaproxy.org/docs/docker/baseline-scan/ ie using docker options like "-v $(pwd):/zap/wrk/:rw"

When you load the script in ZAP using the API or config options then use the full path in Docker, e.g. /zap/wrk/my_script.js

Cheers,

Simon

[jhpe...@gmail.com]

yes of course, all the files that I need I add them to docker through volumes, and all the paths are full path, even so I can't get it to work

[eri...@augment1security.com]

Hi,

If I understand correctly, you have a script that adds scripts through the zap api but having trouble doing so when in docker. One potential problem which I would first like to ensure is not causing problems is the difference in permissions between the outside user and the zap user in docker. Please take a quick look at the Dockerfile section of https://augment1security.com/cicd/cicd-with-owasp-zap-docker-and-pipeline-scripting-part-1/  to see what I mean. After that, see if you are still getting that 400 response code when you execute the script (that adds scripts) again.

Another question I have, to understand better, is , when you say "I already tested the script locally and it works perfectly", you are running the script against desktop zap?

Best Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec

[jhpe...@gmail.com]

I already got the script to work. What happens is that in the Dockerfile I am starting from the stable image of zap and in addition to this I am creating an azure agent. What happened is that the azure agent works under the root user and the zap image on the zap user. In order to start the azure agent I must run the container as root but the root user cannot see the zap folders in /home/zap/.ZAP and if I run the container as a zap user, if I can see and open the / folders home / zap / .ZAP but I can't run the azure agent. I tried changing the execution permissions of the azure agent chmod 111 but it didn't work. Is there anything that can be done so that root can see and access /home/zap/.ZAP? Thank you

I add an image with evidence to be clearer

Thanks so much

[eri...@augment1security.com]

Hi,

Just wondering if you managed to take a look at the Dockerfile section of https://augment1security.com/cicd/cicd-with-owasp-zap-docker-and-pipeline-scripting-part-1/ ? I believe that will set your root user to be the same as zap user but that requires creating a new image on top of the zap docker file.

Best Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec