zap-baseline.py error using exported context

M C

unread,

Apr 15, 2021, 11:03:01 AM4/15/21

to OWASP ZAP User Group

Hello!

Help with this would be greatly appreciated!

I ran a scan using the OWASP ZAP attack successfully with authentication after configuring the context with users, Form authentication. Then exported this context to use in the docker zap-baseline.py, like below

docker run -v ${PWD}:/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t http://algo-lx-si-002.ssnc-corp.cloud:1024 -n algoonetools.context -U svc_si_pds

But I got an error - actually 2 - but I don't know if the first one is a red herring

First error/warning

45027 [ZAP-cfu] WARN org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Failed to check for updates using: https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.10.xml

java.net.SocketTimeoutException: connect timed out

at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]

Second error where the scan stopped

org.zaproxy.zap.extension.api.ApiException: missing_parameter

at org.zaproxy.zap.extension.spider.SpiderAPI.scanURL(SpiderAPI.java:493) ~[zap-2.10.0.jar:2.10.0]

at org.zaproxy.zap.extension.spider.SpiderAPI.handleApiAction(SpiderAPI.java:284) ~[zap-2.10.0.jar:2.10.0]

at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-2.10.0.jar:2.10.0]

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.10.0.jar:2.10.0]

at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.10.0.jar:2.10.0]

at java.lang.Thread.run(Thread.java:834) [?:?]

The part of the context file which is the missing parameter maybe the username/password? Here it is

<form>

<loginurl>http://myhost.com:1024/</loginurl>

<loginbody>Username=svc_si_pds&Password=svc123</loginbody>

<loginpageurl>http://myhost.com:1024/</loginpageurl>

</form>

</authentication>

Does it look ok? Is this a common error? I can post the whole context if needed

thanks!

thc...@gmail.com

unread,

Apr 15, 2021, 11:54:50 AM4/15/21

to zaprox...@googlegroups.com

Hi.

Are you able to access the target from the Docker container?

Could you share the include in context regular expressions?

Based on the error it seems that either the target is not accessible or
the regular expressions don't include the site.

Best regards.

M C

unread,

Apr 15, 2021, 1:07:47 PM4/15/21

to OWASP ZAP User Group

Hi

Thanks for the reply. I should have mentioned that if i run the command line without the -t option, a scan is done of the login page so it seems that the target is accessible.

Here is the entire file

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<name>Default Context</name>

<desc/>

<tech>

<include>Db.CouchDB</include>

<include>Db.Firebird</include>

<include>Db.HypersonicSQL</include>

<include>Db.Microsoft Access</include>

<include>Db.Microsoft SQL Server</include>

<include>Db.MongoDB</include>

<include>Db.MySQL</include>

<include>Db.Oracle</include>

<include>Db.PostgreSQL</include>

<include>Db.SAP MaxDB</include>

<include>Db.SQLite</include>

<include>Db.Sybase</include>

<include>Language</include>

<include>Language.ASP</include>

<include>Language.C</include>

<include>Language.JSP/Servlet</include>

<include>Language.Java</include>

<include>Language.JavaScript</include>

<include>Language.PHP</include>

<include>Language.Python</include>

<include>Language.Ruby</include>

<include>Language.XML</include>

<include>OS.Linux</include>

<include>OS.MacOS</include>

<include>OS.Windows</include>

<include>WS.Apache</include>

<include>WS.Tomcat</include>

</tech>

<class>org.zaproxy.zap.model.StandardParameterParser</class>

<config>{"kvps":"&","kvs":"=","struct":[]}</config>

</urlparser>

<class>org.zaproxy.zap.model.StandardParameterParser</class>

<config>{"kvps":"&","kvs":"=","struct":[]}</config>

</postparser>

<pollunits>REQUESTS</pollunits>

<loggedin>\Q<title>Tools</title>\E</loggedin>

<loggedout>\Q<title>Tools Login Page</title> \E</loggedout>

<form>

<loginurl>http://myhost.com:1024/</loginurl>

<loginbody>Username=svc_si_pds&Password=pwd123</loginbody>

<loginpageurl>http://myhost.com:1024/</loginpageurl>

</form>

</authentication>

<users>

<user>106;true;c3ZjX3NpX3Bkcw==;2;c3ZjX3NpX3Bkcw==~cHdkMTIz~</user>

</users>

</session>

<basic>

<body/>

</basic>

</authorization>

</context>

</configuration>

thc...@gmail.com

unread,

Apr 15, 2021, 1:17:24 PM4/15/21

to zaprox...@googlegroups.com

The context does not seem to be including anything, I'd expect something
like:
<incregexes>http://myhost.com:1024.*</incregexes>

Best regards.

M C

unread,

Apr 15, 2021, 1:30:49 PM4/15/21

to OWASP ZAP User Group

Thanks! If you have a sample of this section of the context I'd appreciate it

thc...@gmail.com

unread,

Apr 15, 2021, 1:46:54 PM4/15/21

to zaprox...@googlegroups.com

That's it, that goes under the context element.

If you don't have other targets you just need to add that.

You can import the context to ZAP with GUI to verify that it has
everything expected (check under Include in Context).

Best regards.

M C

unread,

Apr 15, 2021, 4:14:29 PM4/15/21

to OWASP ZAP User Group

That worked thanks!

Reply all

Reply to author

Forward