I'm trying use ZAP through cmd line for scanning SOAP and REST

[Sai Theja Pamarty]

ZAP Version: 2.11.1

Java Version: 1.8.0_181

Environment: Linux 3.10.0-1160.80.1.0.1.el7.x86_64 (Remote server)

I've to Scan Rest, Soap, and some web applications for vulnerabilities, through cmd line (as mentioned in the above info). 

I didn't install ZAP GUI. 

So, I'm running it in headless mode using '-cmd' option and jar file.

I used the cmd,
java -Xmx7998m -XX:+UseG1GC -jar zap-2.11.1.jar -cmd -quickurl www.example.com?application?wsdl -quickprogress -quickout zap_report.html

It's giving the report but I've tried the GUI version and got some extra vulnerabilities like soap action spoofing etc..

How to get the same result as the GUI version using the '-cmd' option?

I've tried to use the '-addoninstall' to install 'soapsendrequest'

java -jar zap.jar -cmd -addonupdate -addoninstall soapsendrequest

o/p: check for update call failed

It's basically not working.

Can anyone suggest a way to scan SOAP and REST URLs?

[Simon Bennetts]

Hiya,

The "quickurl" command line option is deliberately very limited, and tto be honest I dont recommend it.

The full set of automation options are shown on https://www.zaproxy.org/docs/automate/

The easiest option for API is the packages API scan: https://www.zaproxy.org/docs/docker/api-scan/

However the Automation Framework is more flexible and powerful and does not depend on docker: https://www.zaproxy.org/docs/automate/automation-framework/

Cheers,

Simon

[thc...@gmail.com]

Also, note that 2.11 is no longer supported.

Best regards.

[Sai Theja Pamarty]

Hi,

Sorry to trouble you again. I've tried to use the Automation Framework. But '-addoninstall' is not working. I'm getting "check for update call failed. So, I'm unable to install -report or soap or any other thing.

Thanks & Regards
Sai Theja Pamarty

[kingthorin+owaspzap]

Sounds like a networking issue. Can you get to github.com from within the container?

[Sai Theja Pamarty]

Yes, I'm able to access github.

[Simon Bennetts]

Do you know if you are using a corporate SSL certificate?

[Sai Theja Pamarty]

No, how can I check that?

[Simon Bennetts]

Check the zap.log file: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Are there any errors in there, if so what?

[Sai Theja Pamarty]

I'm attaching the part where the error started.

2023-01-16 11:45:08,123 [main ] ERROR CommandLine - This ZAP installation is over a year old - its probably very out of date
2023-01-16 11:45:08,175 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:39465
2023-01-16 11:45:08,179 [main ] INFO  ExtensionDynSSL - Creating new root CA certificate
2023-01-16 11:45:08,533 [main ] INFO  ExtensionDynSSL - New root CA certificate created
2023-01-16 11:45:48,617 [ZAP-cfu] WARN  ExtensionAutoUpdate - Failed to check for updates using: https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.11.xml
java.net.SocketTimeoutException: connect timed out
    at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_181]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_181]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_181]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_181]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_181]
    at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_181]
    at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:673) ~[?:1.8.0_181]
    at org.parosproxy.paros.network.SSLConnector.createSocket(SSLConnector.java:460) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:457) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:490) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getRemoteConfigurationUrl(ExtensionAutoUpdate.java:1037) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.access$900(ExtensionAutoUpdate.java:93) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate$8.run(ExtensionAutoUpdate.java:1206) [zap-2.11.1.jar:2.11.1]
2023-01-16 11:45:49,538 [main ] ERROR CommandLine - Check for updates call failed
2023-01-16 11:45:50,650 [main ] INFO  ENGINE - dataFileCache commit start
2023-01-16 11:45:50,652 [main ] INFO  ENGINE - dataFileCache commit end
2023-01-16 11:45:50,656 [main ] INFO  ENGINE - Database closed
2023-01-16 11:45:50,762 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 terminated.

[Simon Bennetts]

ZAP is failing to connect to the ZAP check for updates service.

In 2.11.1 ZAP uses a bit.ly redirect - this is sometimes a problem.

From 2.12.0 ZAP uses https://cfu.zaproxy.org/ as per https://www.zaproxy.org/faq/what-calls-home-does-zap-make/

As mentioned before 2.11 is no longer supported so we recommend you update to 2.12.0 and try again.

Cheers,

Simon

[Sai Theja Pamarty]

is there any way around or is it due to some blocking or not installing the GUI version? 
I tried using daemon mode but only quickurl and quickout and some other options work but it always ends in connection time out and never exits from that cmd.

is there any other way to scan soap and rest URLs through Azure DevOps, except for docker and automation framework isn't working?