ZAP API Scan failing with read timeout on Debian 10

74 views
Skip to first unread message

Edmore Tshuma

unread,
Oct 28, 2021, 5:05:44 AM10/28/21
to OWASP ZAP User Group
I am able to do an API scan as well as generate a report when I run the below command from Windows :

docker run -v "$(pwd):/zap/wrk/:rw" -t owasp/zap2docker-weekly zap-api-scan.py -t  http://10.170.170.170:1700 /account?field4=4555666777888"&"field7=GENERIC01"&"field10=ABC076 -f openapi  -r ZAP_Report.htm

Once I switch to running the same command from Debian I get a bunch of errors , not quite sure what im missing.

In linux bash when I run the command I get :
.....
[ZAP-ActiveScanner-1] WARN  org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule - Command Injection vulnerability check failed for parameter [field10] and payload [';cat /etc/passwd;'] due to an I/O error
java.net.SocketTimeoutException: Read timed out
        at java.net.SocketInputStream.socketRead0(Native Method) ~[?:?]
        at java.net.SocketInputStream.socketRead(SocketInputStream.java:115) ~[?:?]
        at java.net.SocketInputStream.read(SocketInputStream.java:168) ~[?:?]
        at java.net.SocketInputStream.read(SocketInputStream.java:140) ~[?:?]
        at java.io.BufferedInputStream.fill(BufferedInputStream.java:252) ~[?:?]
        at java.io.BufferedInputStream.read(BufferedInputStream.java:271) ~[?:?]
        at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78) ~[commons-httpclient-3.1.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106) ~[commons-httpclient-3.1.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1153) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413) ~[commons-httpclient-3.1.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:2138) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.zaproxy.zap.ZapGetMethod.readResponse(ZapGetMethod.java:112) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1162) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:470) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:D-2021-10-25]
        at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:490) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:315) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:246) ~[zap-D-2021-10-25.jar:D-2021-10-25]
        at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.testCommandInjection(CommandInjectionScanRule.java:524) [ascanrules-release-42.zap:?]
        at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.scan(CommandInjectionScanRule.java:431) [ascanrules-release-42.zap:?]
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:201) [zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:126) [zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:87) [zap-D-2021-10-25.jar:D-2021-10-25]
        at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:333) [zap-D-2021-10-25.jar:D-2021-10-25]
        at java.lang.Thread.run(Thread.java:829) [?:?]
493852 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.4.117:8002 | CommandInjectionScanRule in 421.201s with 84 message(s) sent and 0 alert(s) raised.
493853 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.170.170:1700 | DirectoryBrowsingScanRule strength MEDIUM threshold MEDIUM
493988 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.170.170:1700 | DirectoryBrowsingScanRule in 0.136s with 2 message(s) sent and 0 alert(s) raised.
493988 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.170.170:1700 | BufferOverflowScanRule strength MEDIUM threshold MEDIUM
494126 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.170.170:1700 | BufferOverflowScanRule in 0.137s with 3 message(s) sent and 0 alert(s) raised.
494126 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.170.170:1700 | FormatStringScanRule strength MEDIUM threshold MEDIUM
494287 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.170.170:1700 | FormatStringScanRule in 0.161s with 9 message(s) sent and 0 alert(s) raised.
494287 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.170.170:1700 | CrlfInjectionScanRule strength MEDIUM threshold MEDIUM
494560 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.170.170:1700 | CrlfInjectionScanRule in 0.273s with 21 message(s) sent and 0 alert(s) raised.

........
........

-bash: syntax error near unexpected token `('
root@servername:~/serverkeys# 556072 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.170.170:1700| SOAPActionSpoofingActiveScanRule strength MEDIUM threshold MEDIUM
-bash: SOAPActionSpoofingActiveScanRule: command not found
-bash: 556072: command not found
root@servername:~/serverkeys# 556079 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.170.170:1700 | SOAPActionSpoofingActiveScanRule in 0.007s with 0 message(s) sent and 0 alert(s) raised.
-bash: syntax error near unexpected token `('
root@servername:~/serverkeys# 556080 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.170.170:1700 | SOAPXMLInjectionActiveScanRule strength MEDIUM threshold MEDIUM
-bash: SOAPXMLInjectionActiveScanRule: command not found
-bash: 556080: command not found
root@servername:~/serverkeys# 556151 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://10.170.170.170:1700 | SOAPXMLInjectionActiveScanRule in 0.071s with 0 message(s) sent and 0 alert(s) raised.
-bash: syntax error near unexpected token `('
root@servername:~/serverkeys# 556151 [Thread-6] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host http://10.170.170.170:1700 in 545.697s with 3 alert(s) raised.
-bash: syntax error near unexpected token `('
root@servername:~/serverkeys# 556152 [Thread-5] INFO  org.parosproxy.paros.core.scanner.Scanner - scanner completed in 545.728s
 
The API being scanned is hosted on a Windows server (IIS) but I dont think this should affect the scan.

As a check I have tried to alter the command a bit to remove bash error :

 docker run -v '$(pwd):/zap/wrk/:rw' -t owasp/zap2  docker-weekly zap-api-scan.py -t http://10.170.170.170:1700/account?field4= 4555666777888&"field7=GENERIC01"&"field10=ABC076 -f openapi  -r ~/serverkeys/ZAP_Report.htm

The syntax error now seems to have gone but its complaining about the mount directory:

docker: Error response from daemon: create $(pwd): "$(pwd)" includes invalid cha                racters for a local volume name, only "[a-zA-Z0-9][a-zA-Z0-9_.-]" are allowed. I                f you intended to pass a host directory, use absolute path.
  
What am I missing?


Simon Bennetts

unread,
Oct 28, 2021, 5:16:24 AM10/28/21
to OWASP ZAP User Group
I think your escaping is probably wrong.
The '&' in the URL will be treated as acontrol operator.
Try quoting the whole URL, probably in single quotes as it already included double quotes.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages