Active scan through java clienApi gives "URL Not Found in the Scan Tree"
497 views
Skip to first unread message
Paulius
Jan 25, 2018, 7:28:43 AM1/25/18
to OWASP ZAP User Group
Hello,
When I try to launch active scan as a user, using java client API, it gives me an error "URL Not Found in the Scan Tree". However if I try to do the same scan through zap UI or ZAP API, then scan is launched without errors.
I am calling scan using such approach:
Stack trace i am getting
I assume that, when this issue https://github.com/zaproxy/zaproxy/pull/3233 was fixed, fixes were not applied to client-api? Or is there something I am doing incorrectly?
I am using:
When I try to launch active scan as a user, using java client API, it gives me an error "URL Not Found in the Scan Tree". However if I try to do the same scan through zap UI or ZAP API, then scan is launched without errors.
I am calling scan using such approach:
StringBuilder postData = new StringBuilder();
postData.append("par1=").append(URLEncoder.encode("value1", "UTF-8"));
postData.append("&par2").append(URLEncoder.encode("value2", "UTF-8"));
ApiResponse response = clientApi.ascan.scanAsUser(
"http://localhost:7412/app/view/info" ,
"0", // <- getting this from real context
"0", // <- getting this from real context
null,
"Xss Only", <- Custom policy
"POST",
postData.toString()
);Stack trace i am getting
Exception in thread "main" org.zaproxy.clientapi.core.ClientApiException: URL Not Found in the Scan Tree
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:32)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:318)
at org.zaproxy.clientapi.gen.Ascan.scanAsUser(Ascan.java:286)I assume that, when this issue https://github.com/zaproxy/zaproxy/pull/3233 was fixed, fixes were not applied to client-api? Or is there something I am doing incorrectly?
I am using:
- ZAP 2.7.0
- Java client API 1.5.0
- Java: 1.7
thc...@gmail.com
Jan 25, 2018, 8:03:40 AM1/25/18
to zaprox...@googlegroups.com
Hi.
If it's working with the ZAP API UI it should be working with the API
clients (they use the same API endpoints).
In "&par2", is it missing an equals? (Just a typo in this message?)
Are the POST data and the URL exactly the same as when using the ZAP API UI?
Regarding the issue, that was to pick nodes without a method
(intermediate nodes in the Sites tree), it does not apply to this case.
Best regards.
> - ZAP 2.7.0
> - Java client API 1.5.0
> - Java: 1.7
>
If it's working with the ZAP API UI it should be working with the API
clients (they use the same API endpoints).
In "&par2", is it missing an equals? (Just a typo in this message?)
Are the POST data and the URL exactly the same as when using the ZAP API UI?
Regarding the issue, that was to pick nodes without a method
(intermediate nodes in the Sites tree), it does not apply to this case.
Best regards.
> - Java client API 1.5.0
> - Java: 1.7
>
Paulius
Jan 25, 2018, 8:30:25 AM1/25/18
to OWASP ZAP User Group
Hello,
Sorry, this is a typo. The request parameters are exactly the same. I had doubts if URL encoding works correctly, so I even tried to call simple GET request from the code to the ZAP API and it worked (Currently using this solution as a workaround).
However, I have also tried passing the same parameters in string format instead of "postData.toString()" parameter and received the same error.
In addition, if I change method from POST to GET, then error does not appear, however scan itself is not working (same behavior is received from the ZAP API). So I think that this is somehow related to the java client API.
Sorry, this is a typo. The request parameters are exactly the same. I had doubts if URL encoding works correctly, so I even tried to call simple GET request from the code to the ZAP API and it worked (Currently using this solution as a workaround).
However, I have also tried passing the same parameters in string format instead of "postData.toString()" parameter and received the same error.
In addition, if I change method from POST to GET, then error does not appear, however scan itself is not working (same behavior is received from the ZAP API). So I think that this is somehow related to the java client API.
thc...@gmail.com
Jan 25, 2018, 8:58:51 AM1/25/18
to zaprox...@googlegroups.com
OK, in that case I'd suggest taking a look at the API requests (as
received by ZAP). You can enable debug logging by running a Stand Alone
JavaScript with:
org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.api.API").setLevel(org.apache.log4j.Level.DEBUG);
Or, editing the file log4j.properties (in home dir [1]) to have:
log4j.logger.org.zaproxy.zap.extension.api.API=DEBUG
The API requests will by logged to zap.log (in home dir), that should
help spot what might be wrong with the API requests sent by the Java client.
(Note that the requests sent by the ZAP API UI might have some extra
parameters, "zapapiformat" and "formMethod", that's expected and
shouldn't cause any issue.)
[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
received by ZAP). You can enable debug logging by running a Stand Alone
JavaScript with:
org.apache.log4j.Logger.getLogger("org.zaproxy.zap.extension.api.API").setLevel(org.apache.log4j.Level.DEBUG);
Or, editing the file log4j.properties (in home dir [1]) to have:
log4j.logger.org.zaproxy.zap.extension.api.API=DEBUG
The API requests will by logged to zap.log (in home dir), that should
help spot what might be wrong with the API requests sent by the Java client.
(Note that the requests sent by the ZAP API UI might have some extra
parameters, "zapapiformat" and "formMethod", that's expected and
shouldn't cause any issue.)
[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
Paulius
Jan 29, 2018, 1:01:42 AM1/29/18
to OWASP ZAP User Group
Thank you for the information. Using debug I have found incorrect parameter in my code.
thc...@gmail.com
Jan 29, 2018, 4:09:28 AM1/29/18
to zaprox...@googlegroups.com
Cool, thanks for letting us know!
Best regards.
Best regards.
Reply all
Reply to author
Forward
0 new messages