Automating ZAP Token generation and Add-on
108 views
Skip to first unread message
Morgan Wolf
Nov 30, 2023, 4:57:19 AM11/30/23
to ZAP User Group
Hello,
I'm trying to automate the Token Generation and Analysis add-on. As I didn't find any API call possible, I went to the process of using internal script.
For now I'm trying things out with Graal js to launch the plugin from standalone script.
As I was trying it out, i'm facing some issue with plugin stopping generation. At first I thought I was probably breaking thing but it looks like even when I try the plugin normally if I do multiple try in a row I get some error:
225773 [SwingWorker-pool-7-thread-7] ERROR org.zaproxy.zap.extension.tokengen.TokenGenerator - An error occurred during token generation:
java.lang.NullPointerException: Cannot invoke "java.util.Set.add(Object)" because the return value of "java.util.Map.get(Object)" is null
at org.zaproxy.zap.extension.tokengen.CharacterFrequencyMap.addToken(CharacterFrequencyMap.java:74) ~[tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.ExtensionTokenGen.addTokenResult(ExtensionTokenGen.java:242) ~[tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.TokenGenerator.generate(TokenGenerator.java:112) ~[tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.TokenGenerator.doInBackground(TokenGenerator.java:64) [tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.TokenGenerator.doInBackground(TokenGenerator.java:36) [tokengen-beta-15.zap:?]
at javax.swing.SwingWorker$1.call(SwingWorker.java:304) [?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
at javax.swing.SwingWorker.run(SwingWorker.java:343) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at java.lang.Thread.run(Thread.java:833) [?:?]
java.lang.NullPointerException: Cannot invoke "java.util.Set.add(Object)" because the return value of "java.util.Map.get(Object)" is null
at org.zaproxy.zap.extension.tokengen.CharacterFrequencyMap.addToken(CharacterFrequencyMap.java:74) ~[tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.ExtensionTokenGen.addTokenResult(ExtensionTokenGen.java:242) ~[tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.TokenGenerator.generate(TokenGenerator.java:112) ~[tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.TokenGenerator.doInBackground(TokenGenerator.java:64) [tokengen-beta-15.zap:?]
at org.zaproxy.zap.extension.tokengen.TokenGenerator.doInBackground(TokenGenerator.java:36) [tokengen-beta-15.zap:?]
at javax.swing.SwingWorker$1.call(SwingWorker.java:304) [?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
at javax.swing.SwingWorker.run(SwingWorker.java:343) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at java.lang.Thread.run(Thread.java:833) [?:?]
Once this error occurs the issue is the prompt for analysis doesn't show.
Does anyone know of a way to fix this ?
Next question is regarding my automation. I managed to launch the pluging from the method: startTokenGeneration()
However, the class to access the token analysis are all hidden away from public call, is there a way for me to access the analysis form scripting ?
I've linked my current work on the script for people who want to take a look. I'm very new to this graal.js to any tip is appreciated as well.
Thank you.
thc...@gmail.com
Nov 30, 2023, 11:05:47 AM11/30/23
to zaprox...@googlegroups.com
Hi,
I'm not able to reproduce that exception. (And that one is odd, since
there's a null check to add the Set if not present.)
Note that you should not call `init()` on the extension, that's already
called by ZAP during start up (or after the add-on is installed).
Best regards.
On 30/11/2023 09:54, Morgan Wolf wrote:
> Hello,
> I'm trying to automate the Token Generation and Analysis
> <https://www.zaproxy.org/docs/desktop/addons/token-generator/> add-on. As I
I'm not able to reproduce that exception. (And that one is odd, since
there's a null check to add the Set if not present.)
Note that you should not call `init()` on the extension, that's already
called by ZAP during start up (or after the add-on is installed).
Best regards.
On 30/11/2023 09:54, Morgan Wolf wrote:
> Hello,
> I'm trying to automate the Token Generation and Analysis
Morgan Wolf
Dec 1, 2023, 1:53:47 AM12/1/23
to ZAP User Group
Hi,
Thank you for your answer. On my first setup I was able to always reproduce the issue but after trying on another computer, I cannot do it consistently.
However, after some trial and error I managed to recreate the issue (doesn't produce the exception though).
However, after some trial and error I managed to recreate the issue (doesn't produce the exception though).
Steps:
1 - Running bodge it.
2 - go to login page.
3 - try to generate 1 tokens (analysis pop up works)
4 - generate 1 token (no pop up)
5 - try to generate 20 000 tokens (no popup)
Only way for me to have it work again was to restart ZAP.
At step 3 and 4 the popup of analysis doesn't appear. I'm guessing because the first run never finished. My guess for the error on my other setup was some token loss (due to connection?).
It looks like when the tokens aren't all caught, there are some issues that can arise.
As clicking on stop doesn't stop the bugged run, it stays and it is not possible to run another one.
Linked some screens for explanation.
Don't know if it's important but I use chrome and windows.
Morgan Wolf
Dec 15, 2023, 8:27:24 AM12/15/23
to ZAP User Group
Aside from the bug would their be a way to add the plugin to the api endpoint to make it usable from an automation point of view ?
kingthorin+zap
Dec 15, 2023, 8:34:10 AM12/15/23
to ZAP User Group
Not currently. it shouldn't be too hard to add an API too it but I'm not aware of it being on anyone's radar.
Reply all
Reply to author
Forward
0 new messages