Issues with packaged scan on dvwa

[Roshan Thomas]

Hi,

I'm learning how to use ZAP packaged scans since I'll be using it to integrate security scans into my company's CI/CD process. 

I started with DVWA and used ZAP Desktop manually (Version 2.10.0) to generate my context file for authentication details.

I then provided this context file to the ZAP docker image and I ended up getting an error.

Environment: Windows 10

Command used:  docker run -v C:/Users/home/zap_work:/zap/wrk -t owasp/zap2docker-stable zap-full-scan.py -t http://192.168.56.102/dvwa -n dvwa.context

The context file (stored in C:/Users/home/zap_work):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<configuration>

    <context>

        <name>dvwa</name>

        <desc/>

        <inscope>true</inscope>

        <incregexes>http://192.168.56.102/dvwa/*</incregexes>

        <excregexes>http://192.168.56.102/dvwa/logout.php</excregexes>

        <tech>

            <include>Db</include>

            <include>Db.CouchDB</include>

            <include>Db.Firebird</include>

            <include>Db.HypersonicSQL</include>

            <include>Db.IBM DB2</include>

            <include>Db.Microsoft Access</include>

            <include>Db.Microsoft SQL Server</include>

            <include>Db.MongoDB</include>

            <include>Db.MySQL</include>

            <include>Db.Oracle</include>

            <include>Db.PostgreSQL</include>

            <include>Db.SAP MaxDB</include>

            <include>Db.SQLite</include>

            <include>Db.Sybase</include>

            <include>Language</include>

            <include>Language.ASP</include>

            <include>Language.C</include>

            <include>Language.JSP/Servlet</include>

            <include>Language.Java</include>

            <include>Language.JavaScript</include>

            <include>Language.PHP</include>

            <include>Language.Python</include>

            <include>Language.Ruby</include>

            <include>Language.XML</include>

            <include>OS</include>

            <include>OS.Linux</include>

            <include>OS.MacOS</include>

            <include>OS.Windows</include>

            <include>SCM</include>

            <include>SCM.Git</include>

            <include>SCM.SVN</include>

            <include>WS</include>

            <include>WS.Apache</include>

            <include>WS.IIS</include>

            <include>WS.Tomcat</include>

        </tech>

        <urlparser>

            <class>org.zaproxy.zap.model.StandardParameterParser</class>

            <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>

        </urlparser>

        <postparser>

            <class>org.zaproxy.zap.model.StandardParameterParser</class>

            <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>

        </postparser>

        <authentication>

            <type>2</type>

            <strategy>EACH_RESP</strategy>

            <pollurl/>

            <polldata/>

            <pollheaders/>

            <pollfreq>60</pollfreq>

            <pollunits>REQUESTS</pollunits>

            <loggedin>\Q&lt;a href="logout.php"&gt;Logout&lt;/a&gt;\E</loggedin>

            <loggedout>\Q&lt;input type="submit" value="Login" name="Login"&gt;\E</loggedout>

            <form>

                <loginurl>http://192.168.56.102/dvwa/login.php</loginurl>

                <loginbody>username={%username%}&amp;password={%password%}&amp;Login=Login</loginbody>

                <loginpageurl>http://192.168.56.102/dvwa/login.php</loginpageurl>

            </form>

        </authentication>

        <users>

            <user>100;true;ZGVmYXVsdA==;2;YWRtaW4=~cGFzc3dvcmQ=~</user>

        </users>

        <forceduser>100</forceduser>

        <session>

            <type>0</type>

        </session>

        <authorization>

            <type>0</type>

            <basic>

                <header/>

                <body/>

                <logic>AND</logic>

                <code>-1</code>

            </basic>

        </authorization>

    </context>

</configuration>

The error:

388246 [ZAP-ProxyThread-8] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/spider/action/scan/] from [127.0.0.1]:

org.zaproxy.zap.extension.api.ApiException: url_not_in_context

        at org.zaproxy.zap.extension.spider.SpiderAPI.scanURL(SpiderAPI.java:497) ~[zap-2.10.0.jar:2.10.0]

        at org.zaproxy.zap.extension.spider.SpiderAPI.handleApiAction(SpiderAPI.java:245) ~[zap-2.10.0.jar:2.10.0]

        at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-2.10.0.jar:2.10.0]

        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.10.0.jar:2.10.0]

        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.10.0.jar:2.10.0]

        at java.lang.Thread.run(Thread.java:834) [?:?]

I tried changing the target URL too by adding a trailing slash (-t http://192.168.56.102/dvwa/), removing dvwa (-t -t http://192.168.56.102/) but nothing seems to help.

Could someone point me to where I'm going wrong. This is the first time I'm using ZAP for automation, so I'm kinda clueless.

Thanks,

Roshan

[Simon Bennetts]

Hi Roshan,

Your regex is not right - you should change http://192.168.56.102/dvwa/* to http://192.168.56.102/dvwa/.*

In other words there should be a dot before the star.

You _might_ need to actually use this in the context (I'm not sure tbh) http://192.168.56.102/.*

We recommend creating and testing the context in the ZAP desktop and then exporting it, that way ZAP is much more likely to get the format right.

Cheers,

Simon

[Roshan Thomas]

Thanks Simon. You were right about the context being http://192.168.56.102/. It works now.

[Simon Bennetts]

Thanks for letting us know.