ZAP API Error

[Sougata Laha]

Hello Guys, 

I am making a POC of ZAP with Selenium automation. 

This is my main class:

=========================================================================================================================

package zapSeleniumDemo;

import org.junit.Test;

import org.openqa.selenium.WebDriver;

import org.openqa.selenium.firefox.FirefoxDriver;

import org.openqa.selenium.firefox.FirefoxProfile;

import org.openqa.selenium.firefox.internal.ProfilesIni;

import org.zaproxy.clientapi.core.ClientApi;

public class ZapSeleniumDemo {

public static void main(String args[]) throws InterruptedException {

String ZAP_HOSTNAME = "localhost";

int ZAP_SESSION_PORT = 8090;

String ZAP_URI_PORT = "https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project";

String ZAP_SESSION_IP = "127.0.0.1";

ClientApi api = new ClientApi( ZAP_HOSTNAME, ZAP_SESSION_PORT );

System.setProperty("webdriver.gecko.driver", 

  "C:/Selenium Drivers/test/geckodriver.exe");

ZapTools zap = new ZapTools();

if( zap.startZAP() == false ) {

System.out.println( "ZAP failed to start. Terminating..." );

System.exit(0);

}

//firefox browser profiling by selenium  

ProfilesIni profile= new ProfilesIni();

FirefoxProfile myProfile = profile.getProfile("default");

WebDriver driver = new FirefoxDriver(myProfile);

driver.navigate().to("https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project");

Thread.sleep(5000);

//zap scanning starts

    if( zap.spider( api, ZAP_URI_PORT ) == false ) {

    System.out.println( "Spider Failed - see console for details. Continuing..." );

    }    

    if( zap.ascan( api, ZAP_URI_PORT ) == false ) {

    System.out.println( "Active Scan Failed - see console for details. Continuing..." );

    }    

    System.out.println( zap.checkErrors( api ) );

    zap.saveSession (api, "Vulnerable" );

    zap.stopZAP( ZAP_SESSION_IP, ZAP_SESSION_PORT );

}

}

===============================================================================================================

and this is my Zap function class:

===============================================================================================================

package zapSeleniumDemo;

import java.io.BufferedReader;

import java.io.File;

import java.io.InputStreamReader;

import java.io.OutputStreamWriter;

import java.util.ArrayList;

import java.util.List;

import org.zaproxy.clientapi.core.Alert;

import org.zaproxy.clientapi.core.ClientApi;

import org.zaproxy.clientapi.core.ClientApiException;

import org.zaproxy.clientapi.core.ClientApiMain;

import org.zaproxy.clientapi.gen.Spider;

public class ZapTools {

String ZAP_LOCATION = "C:\\Program Files\\OWASP\\Zed Attack Proxy\\";

String SAVE_SESSION_DIRECTORY = "ZAPSessions\\";

public boolean startZAP() {

try {

String[] command = { "CMD", "/C", this.ZAP_LOCATION + "ZAP.exe" };

ProcessBuilder proc = new ProcessBuilder(command);

proc.directory(new File(this.ZAP_LOCATION));

Process p = proc.start();

p.waitFor();

BufferedReader input = new BufferedReader(new InputStreamReader(

p.getInputStream()));

OutputStreamWriter oStream = new OutputStreamWriter(

p.getOutputStream());

oStream.write("process where name='ZAP.exe'");

oStream.flush();

oStream.close();

String line;

while ((line = input.readLine()) != null) {

//kludge to tell when ZAP is started and ready

if (line.contains("INFO") && line.contains("org.parosproxy.paros.control.Control") && line.contains("New Session")) {

input.close();

break;

}

}

System.out.println("ZAP has started successfully.");

return true;

} catch (Exception ex) {

System.out.println("ZAP was unable to start.");

ex.printStackTrace();

return false;

}

}

public void stopZAP(String zapaddr, int zapport) {

ClientApiMain.main(new String[] { "stop", "zapaddr=" + zapaddr, "zapport=" + zapport });

}

public void startSession(String zapaddr, int zapport) {

ClientApiMain.main(new String[] { "newSession", "zapaddr=" + zapaddr, "zapport=" + zapport });

System.out.println( "session started" );

System.out.println("Session started successfully.");

}

public void saveSession(ClientApi api, String fileName) {

try {

String path = this.SAVE_SESSION_DIRECTORY + fileName + ".session";

api.core.saveSession(path,null);

System.out.println( "Session save successful (" + path + ")." );

} catch (ClientApiException ex) {

System.out.println( "Error saving session." );

ex.printStackTrace();

}

}

public boolean ascan(ClientApi api, String ZAP_URI_PORT) {

try {

System.out.println("Active scan starting...");

api.ascan.scan(ZAP_URI_PORT, null, null,null,null,null);

//kludge to see when scan is done - Currently am not sure how to work with the ApiRepsonse Object

while (api.ascan.status("100").toString(0).contains("100") == false) {

System.out.println("active scan progress: " + api.ascan.status(ZAP_URI_PORT).toString(0));

try {

Thread.sleep(15000); //basically printing status every 15 seconds

} catch (InterruptedException e) {

e.printStackTrace();

}

}

System.out.println("progress: " + api.ascan.status(ZAP_URI_PORT).toString(0));

return true;

} catch (ClientApiException ex) {

ex.printStackTrace();

return false;

}

}

public boolean spider(ClientApi api, String ZAP_URI_PORT) {

try{

System.out.println("Spider scan starting...");

Spider spider = new Spider( api );

spider.scan( ZAP_URI_PORT, null, null, null, null );

//kludge to see when spider has completed - currently am not sure how to use the ApiResponse Object

while (spider.status(ZAP_URI_PORT).toString(0).contains("100") == false) {

System.out.println("progress: " + spider.status(ZAP_URI_PORT).toString(0));

try {

Thread.sleep(5000); //basically printing status every 5 seconds

} catch (InterruptedException e) {

e.printStackTrace();

}

}

System.out.println("progress: " + spider.status(ZAP_URI_PORT).toString(0));

return true;

} catch(ClientApiException ex) {

ex.printStackTrace();

return false;

}

}

public String checkErrors(ClientApi api) {

String errors = "";

List<Alert> ignoreAlerts = new ArrayList<>(2);

//ignoreAlerts.add(new Alert("Cookie set without HttpOnly flag", null, Risk.Low, Reliability.Warning, null, null) {});

//ignoreAlerts.add(new Alert(null, null, Risk.Low, Reliability.Warning, null, null));

//ignoreAlerts.add(new Alert(null, null, Risk.Informational, Reliability.Warning, null, null));

try {

System.out.println("Checking Alerts...");

api.checkAlerts(ignoreAlerts, null);

} catch (Exception ex) {

System.out.println(ex.getMessage());

errors = ex.getMessage();

}

return errors;

}

}

==============================================================================================================================

after executing the application i am getting the following error:

Spider scan starting...

org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)

at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:311)

at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:220)

at zapSeleniumDemo.ZapTools.spider(ZapTools.java:97)

at zapSeleniumDemo.ZapSeleniumDemo.main(ZapSeleniumDemo.java:42)

Caused by: java.net.SocketException: Unexpected end of file from server

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at java.net.HttpURLConnection.getResponseCode(Unknown Source)

at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:339)

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:327)

... 4 more

Spider Failed - see console for details. Continuing...

Active scan starting...

org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)

at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:311)

at org.zaproxy.clientapi.gen.Ascan.scan(Ascan.java:251)

at org.zaproxy.clientapi.gen.Ascan.scan(Ascan.java:222)

at zapSeleniumDemo.ZapTools.ascan(ZapTools.java:75)

at zapSeleniumDemo.ZapSeleniumDemo.main(ZapSeleniumDemo.java:45)

Caused by: java.net.SocketException: Unexpected end of file from server

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at java.net.HttpURLConnection.getResponseCode(Unknown Source)

at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:339)

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:327)

... 5 more

Active Scan Failed - see console for details. Continuing...

Checking Alerts...

java.net.SocketException: Unexpected end of file from server

java.net.SocketException: Unexpected end of file from server

Error saving session.

org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)

at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:311)

at org.zaproxy.clientapi.gen.Core.saveSession(Core.java:314)

at zapSeleniumDemo.ZapTools.saveSession(ZapTools.java:64)

at zapSeleniumDemo.ZapSeleniumDemo.main(ZapSeleniumDemo.java:49)

Caused by: java.net.SocketException: Unexpected end of file from server

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at java.net.HttpURLConnection.getResponseCode(Unknown Source)

at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:339)

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:327)

... 4 more

org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)

at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:311)

at org.zaproxy.clientapi.gen.Core.shutdown(Core.java:279)

at org.zaproxy.clientapi.core.ClientApiMain.executeTask(ClientApiMain.java:59)

at org.zaproxy.clientapi.core.ClientApiMain.<init>(ClientApiMain.java:48)

at org.zaproxy.clientapi.core.ClientApiMain.main(ClientApiMain.java:42)

at zapSeleniumDemo.ZapTools.stopZAP(ZapTools.java:52)

at zapSeleniumDemo.ZapSeleniumDemo.main(ZapSeleniumDemo.java:50)

Caused by: java.net.SocketException: Unexpected end of file from server

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)

at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at java.net.HttpURLConnection.getResponseCode(Unknown Source)

at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:339)

at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:327)

... 7 more

========================================================================================================================

any idea about it? 

I am using ZAP Client API 1.2.0 JAR and my ZAP proxy is configured in localhost 8090. And I am using an external application to automate the security testing(ex: the zap website). 

[thc...@gmail.com]

Hi.

That's most likely caused by missing API key:
https://github.com/zaproxy/zaproxy/wiki/FAQapikey

You can specify it when creating the ClientApi:
new ClientApi( ZAP_HOSTNAME, ZAP_SESSION_PORT, "MyApiKey");


Best regards.

[Sougata Laha]

Hey, Thanks for the helping hand. Tried it but no luck. Still getting the same error. :( 

[Sougata Laha]

Problem Solved. Found my ZAP API key and passed the API key while creating the ClientApi. Thanks a ton for the idea.  :)