Problems using the weekly image

96 views
Skip to first unread message

Emy

unread,
Jul 1, 2022, 7:47:10 AMJul 1
to OWASP ZAP User Group

Hi !

I have some problems when running scans with the weekly image : with the AJAX Spider (using the zap-full-scan.py) and with a Selenium script (either using the automation framework or the zap-full-scan.py script).

Here is the command I run :
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://10.0.2.15:9000 -r ../rapport.html -n ciri-context.context -j -z "-config connection.timeoutInSecs=40 -config ajaxSpider.maxDuration=2" --hook=my-hooks.py -d

      1. Selenium script

The Selenium script is well added and it's launched at the beginning of the AJAX Spider. However, the script doesn't run until the end. Sometimes it just shows the first messages and sometimes it makes some clicks after. As soon as the AJAX Spider run, the proxy starts. Then, I get this error just before the first message of my Selenium script :
<eval>:14 TypeError: null has no such function "contains".
 

Note that my Selenium script works entirely (most of the time) when I use it in local with the automation framework.

Do you know why it stops randomly and doesn't go to the end ?

     2. AJAX Spider

The max duration of the AJAX spider is 2 minutes. When the two minutes are up, this message appears in the zap.out file :
145957 [pool-2-thread-1] INFO  com.crawljax.core.CrawlController - Time is up! Shutting down...
Then, it takes a few minutes to turn off (about 3-4 minutes) but in the terminal where I ran my command to start ZAP, nothing happens. I don't see any message. It's like the AJAX Spider is still running. The active scan doesn't start.

Do you know what is the problem ?

I put the zap.out and the zap.log files attached.

Thanks,
Emy
zap.log
zap.out.ini

Simon Bennetts

unread,
Jul 1, 2022, 8:40:11 AMJul 1
to OWASP ZAP User Group
Strange.
Try using the "-m" parameter to set the spider timeout instead of setting it via a "-config" option: https://www.zaproxy.org/docs/docker/full-scan/
I dont know if that will solve the problem but its what I'd try first.

Cheers,

Simon

Emy

unread,
Jul 1, 2022, 9:03:14 AMJul 1
to OWASP ZAP User Group
It's not better :(
The AJAX Spider doesn't pass to the active scan (and my Selenium script is still not fully implemented btw).

Thanks,
Emy

Emy

unread,
Jul 4, 2022, 2:57:44 AMJul 4
to OWASP ZAP User Group
Hello,

I saw that the version of Selenium isn't the same. When I use Selenium in local, the version of the add-on is 15.9.0 and in the weekly image, the version is 15.10.0.
What are the differences between these 2 versions ? Maybe it's for this reason that my Selenium script doesn't work very well in the Docker image.

Same with the AJAX Spider. In the weekly image, the version is 23.8.0 and in local, it's 23.7.0. What are the differences ?

Thanks,
Emy

Emy

unread,
Jul 4, 2022, 3:39:18 AMJul 4
to OWASP ZAP User Group
I seem to have the same problem with the active scan when I don't run AJAX Spider (same command but without the -j option).
After the Spider, the active scan is started but it remains at 56% while in the file zap.out, the scan is finished:
400284 [ZAP-Scanner-0] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host http://10.0.2.15:9000 in 368.833s with 35 alert(s) raised.

Thanks,
Emy

Emy

unread,
Jul 5, 2022, 2:40:26 AMJul 5
to OWASP ZAP User Group
Hi,

I would like to know if Selenium logs exist. Where can I find them or how can I generate them ?

Thanks,
Emy

Simon Bennetts

unread,
Jul 5, 2022, 3:58:07 AMJul 5
to OWASP ZAP User Group
Hi Emy,

The only log file we use is the zap.out file, there is no separate selenium log.
I will try to look into this at some point but I dont know exactly when right now.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages