Containerized ZAP takes longer to run than local
399 views
Skip to first unread message
Alan
Feb 29, 2024, 5:26:53 PM2/29/24
to ZAP User Group
Tested 2 pages:
Containerized (openshift) ZAP runtime is over 1 hr
Local ZAP runtime is 10 min
After comparing the logs, found out that the following logs repeat very often during "Cross Site Scripting (DOM Based), Spring4Shell, Remote OS Command Injection" which take up most of the time in containerized execution:
---------------
3091645 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3121657 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3151668 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3181680 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3211691 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3221212 [ZAP-ActiveScanner-8] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [e155f87b-97fe-41cd-95c6-ee12caee4930, findElements {using=tag name, value=button}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:8372, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 8902, moz:profile: /tmp/rust_mozprofiletNNspy, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:9422/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
---------------
1. "org.zaproxy.zap.extension.api.API - handleApiRequest" - why a status check api call takes 30 sec and why it repeats this api call multiple time
2. Local ZAP execution of the same test don't have these status check api calls
Please suggest a resolution
Thanks
Containerized (openshift) ZAP runtime is over 1 hr
Local ZAP runtime is 10 min
After comparing the logs, found out that the following logs repeat very often during "Cross Site Scripting (DOM Based), Spring4Shell, Remote OS Command Injection" which take up most of the time in containerized execution:
---------------
3091645 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3121657 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3151668 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3181680 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3211691 [ZAP-IO-Server-1-34] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/ascan/view/status/?scanId=0&
3221212 [ZAP-ActiveScanner-8] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [e155f87b-97fe-41cd-95c6-ee12caee4930, findElements {using=tag name, value=button}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:8372, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 8902, moz:profile: /tmp/rust_mozprofiletNNspy, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:9422/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
---------------
1. "org.zaproxy.zap.extension.api.API - handleApiRequest" - why a status check api call takes 30 sec and why it repeats this api call multiple time
2. Local ZAP execution of the same test don't have these status check api calls
Please suggest a resolution
Thanks
Simon Bennetts
Mar 4, 2024, 5:21:16 AM3/4/24
to ZAP User Group
Hiya,
The DOM XSS rule works by launching a browser to attack the target.
It looks like this is having problems connecting to the target app.
Are there any other errors in the zap.log file?
How are you running ZAP in the container?
Cheers,
Simon
Alan
Mar 4, 2024, 10:29:02 AM3/4/24
to ZAP User Group
zap run command:
zap-x.sh -daemon -silent -host 0.0.0.0 -port 8090
Also, i could see a lot of unclosed firefox processes running after the execution which takes up a lot of memory.
Additional logs:
520286 [ZAP-DomXssReaper] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - New driver 1247488365
520564 [ZAP-DomXssReaper] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - Driver hung 909379405
540610 [Thread-2575] WARN org.openqa.selenium.os.ExternalProcess - failed to copy the output of process 1375
java.io.IOException: Stream closed
at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:176) ~[?:?]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:289) ~[?:?]
at java.io.BufferedInputStream.read(BufferedInputStream.java:351) ~[?:?]
at java.io.InputStream.transferTo(InputStream.java:704) ~[?:?]
at org.openqa.selenium.os.ExternalProcess$Builder.lambda$start$0(ExternalProcess.java:209) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
-------------------------------------
550658 [ZAP-ActiveScanner-11] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.WebDriverException: Failed to decode response from marionette
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:12464, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1831, moz:profile: /tmp/rust_mozprofiled0S3Wu, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:12464/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fe84245b-4892-448e-8e8b-91c54d1e7c82
-------------------------------------
545334 [ZAP-IO-Server-1-10] DEBUG org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - No session tokens for: firefox.settings.services.mozilla.com:443
547609 [ZAP-DomXssReaper] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - New driver 361441571
547609 [ZAP-DomXssReaper] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - Driver hung 982579854
549962 [ZAP-ActiveScanner-30] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.WebDriverException: Failed to decode response from marionette
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:31588, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1847, moz:profile: /tmp/rust_mozprofilebiFxkV, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:31588/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 356aee64-ab43-43c5-562c-a1ab49a4585b
549968 [ZAP-DomXssReaper] ERROR org.zaproxy.zap.ZAP.UncaughtExceptionLogger - Exception in thread "ZAP-DomXssReaper"
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:31588, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1847, moz:profile: /tmp/rust_mozprofilebiFxkV, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:31588/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 356aee64-ab43-43c5-9b2c-a1ab49a2a85b
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:200) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:133) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:52) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:191) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:200) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.lambda$execute$1(DriverCommandExecutor.java:128) ~[?:?]
at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
--------------------------------
572870 [ZAP-IO-Server-1-10] DEBUG org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - No session tokens for: firefox.settings.services.mozilla.com:443
600015 [ZAP-ActiveScanner-30] ERROR org.zaproxy.zap.extension.domxss.DomXssScanRule - Session ID is null. Using WebDriver after calling quit()?
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:31588, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1847, moz:profile: /tmp/rust_mozprofilebiFxkV, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:31588/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
org.openqa.selenium.NoSuchSessionException: Session ID is null. Using WebDriver after calling quit()?
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:31588, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1847, moz:profile: /tmp/rust_mozprofilebiFxkV, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:31588/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:152) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:200) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:175) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:607) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:309) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:356) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:663) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:369) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
---------------------------------
600751 [ZAP-Scanner-0] DEBUG org.parosproxy.paros.core.scanner.HostProcess - scanSingleNode node plugin=Cross Site Scripting (DOM Based) node=https://mysitepath/images/span.gif
600752 [ZAP-Scanner-0] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - Using browser: FIREFOX_HEADLESS
600847 [ZAP-ActiveScanner-11] ERROR org.zaproxy.zap.extension.domxss.DomXssScanRule - Tried to run command without establishing a connection
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:12464, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1831, moz:profile: /tmp/rust_mozprofiled0S3Wu, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:12464/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fe84245b-4892-448e-8e8b-91c54d1e7c82
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.21'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.6.0, moz:accessibilityChecks: false, moz:buildID: 20231211164624, moz:debuggerAddress: 127.0.0.1:12464, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1831, moz:profile: /tmp/rust_mozprofiled0S3Wu, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:12464/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fe84245b-4892-448e-8e8b-91c54d1e7c82
at jdk.internal.reflect.GeneratedConstructorAccessor152.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:200) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:133) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:52) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:191) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:200) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:175) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:607) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:309) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:356) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:663) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:369) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
thc...@gmail.com
Mar 5, 2024, 2:43:48 AM3/5/24
to zaprox...@googlegroups.com
Looks like you are using outdated versions of the add-ons, which image
are you using?
Updating the add-ons (Selenium especially) should address the browser
launching issue.
Best regards.
are you using?
Updating the add-ons (Selenium especially) should address the browser
launching issue.
Best regards.
Alan
Mar 5, 2024, 10:42:38 AM3/5/24
to ZAP User Group
I'm using zap2docker-stable:latest
The older version of selenium was due to the "-silent" param passed. Removed it and now it installs new selenium version.
But the original issue is still there.
Addon versions:
3136 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, version=19.0.0], [id=ascanrules, version=63.0.0], [id=authhelper, version=0.12.0], [id=automation, version=0.35.0], [id=bruteforce, version=15.0.0], [id=callhome, version=0.10.0], [id=commonlib, version=1.22.0], [id=database, version=0.3.0], [id=diff, version=14.0.0], [id=directorylistv1, version=7.0.0], [id=domxss, version=18.0.0], [id=encoder, version=1.4.0], [id=exim, version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz, version=13.12.0], [id=gettingStarted, version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql, version=0.23.0], [id=help, version=17.0.0], [id=hud, version=0.18.0], [id=invoke, version=14.0.0], [id=network, version=0.14.0], [id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0], [id=openapi, version=39.0.0], [id=postman, version=0.2.0], [id=pscanrules, version=56.0.0], [id=quickstart, version=43.0.0], [id=replacer, version=16.0.0], [id=reports, version=0.29.0], [id=requester, version=7.4.0], [id=retest, version=0.8.0], [id=retire, version=0.32.0], [id=reveal, version=7.0.0], [id=scripts, version=45.0.0], [id=selenium, version=15.19.0], [id=soap, version=21.0.0], [id=spider, version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips, version=12.0.0], [id=webdriverlinux, version=73.0.0], [id=websocket, version=30.0.0], [id=zest, version=43.0.0]]
Also found the following log. Not sure if this is related to selenium:
4919 [ZAP-daemon] DEBUG org.zaproxy.zap.extension.script.ExtensionScript - registerEngineWrapper Zest : Mozilla Zest
5000 [ZAP-daemon] DEBUG org.zaproxy.zap.extension.zest.ExtensionZest - Unable to find displayScript method with allowFocus
java.lang.NullPointerException: null
at org.zaproxy.zap.extension.zest.ExtensionZest.hook(ExtensionZest.java:233) [zest-beta-43.zap:?]
at org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(ExtensionLoader.java:934) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(ExtensionLoader.java:801) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:58) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.init(Control.java:156) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.initSingletonWithoutView(Control.java:394) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.HeadlessBootstrap.initControl(HeadlessBootstrap.java:59) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:75) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
5009 [ZAP-daemon] DEBUG org.zaproxy.zap.extension.zest.ExtensionZest - Unable to find selectNode method with allowFocus
java.lang.NullPointerException: null
at org.zaproxy.zap.extension.zest.ExtensionZest.hook(ExtensionZest.java:242) [zest-beta-43.zap:?]
at org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(ExtensionLoader.java:934) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(ExtensionLoader.java:801) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:58) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.init(Control.java:156) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.initSingletonWithoutView(Control.java:394) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.HeadlessBootstrap.initControl(HeadlessBootstrap.java:59) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:75) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
The older version of selenium was due to the "-silent" param passed. Removed it and now it installs new selenium version.
But the original issue is still there.
Addon versions:
3136 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, version=19.0.0], [id=ascanrules, version=63.0.0], [id=authhelper, version=0.12.0], [id=automation, version=0.35.0], [id=bruteforce, version=15.0.0], [id=callhome, version=0.10.0], [id=commonlib, version=1.22.0], [id=database, version=0.3.0], [id=diff, version=14.0.0], [id=directorylistv1, version=7.0.0], [id=domxss, version=18.0.0], [id=encoder, version=1.4.0], [id=exim, version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz, version=13.12.0], [id=gettingStarted, version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql, version=0.23.0], [id=help, version=17.0.0], [id=hud, version=0.18.0], [id=invoke, version=14.0.0], [id=network, version=0.14.0], [id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0], [id=openapi, version=39.0.0], [id=postman, version=0.2.0], [id=pscanrules, version=56.0.0], [id=quickstart, version=43.0.0], [id=replacer, version=16.0.0], [id=reports, version=0.29.0], [id=requester, version=7.4.0], [id=retest, version=0.8.0], [id=retire, version=0.32.0], [id=reveal, version=7.0.0], [id=scripts, version=45.0.0], [id=selenium, version=15.19.0], [id=soap, version=21.0.0], [id=spider, version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips, version=12.0.0], [id=webdriverlinux, version=73.0.0], [id=websocket, version=30.0.0], [id=zest, version=43.0.0]]
Also found the following log. Not sure if this is related to selenium:
4919 [ZAP-daemon] DEBUG org.zaproxy.zap.extension.script.ExtensionScript - registerEngineWrapper Zest : Mozilla Zest
5000 [ZAP-daemon] DEBUG org.zaproxy.zap.extension.zest.ExtensionZest - Unable to find displayScript method with allowFocus
java.lang.NullPointerException: null
at org.zaproxy.zap.extension.zest.ExtensionZest.hook(ExtensionZest.java:233) [zest-beta-43.zap:?]
at org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(ExtensionLoader.java:934) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(ExtensionLoader.java:801) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:58) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.init(Control.java:156) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.initSingletonWithoutView(Control.java:394) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.HeadlessBootstrap.initControl(HeadlessBootstrap.java:59) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:75) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
java.lang.NullPointerException: null
at org.zaproxy.zap.extension.zest.ExtensionZest.hook(ExtensionZest.java:242) [zest-beta-43.zap:?]
at org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(ExtensionLoader.java:934) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(ExtensionLoader.java:801) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:58) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.init(Control.java:156) [zap-2.14.0.jar:2.14.0]
at org.parosproxy.paros.control.Control.initSingletonWithoutView(Control.java:394) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.HeadlessBootstrap.initControl(HeadlessBootstrap.java:59) [zap-2.14.0.jar:2.14.0]
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:75) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
Simon Bennetts
Mar 7, 2024, 5:21:42 AM3/7/24
to ZAP User Group
Those errors look like they are unrelated, at least at this stage.
Can you share the full logs, redacting anything sensitive.
Just from one run where its using the latest add-ons.
Cheers,
Simon
dk
Mar 8, 2024, 10:18:25 AM3/8/24
to ZAP User Group
I'm not allowed to share the entire log as per company policy.
Update:
About my question "why a status check api call takes 30 sec and why it repeats this api call multiple time". My automation script was polling status every 30sec. So please ignore this question
The actual issue is during "Cross Site Scripting (DOM Based), Spring4Shell, Remote OS Command Injection", it tries to use selenium and gets timed out and that takes up a lot of time:
488161 [External Process Output Forwarder - /home/zap/.ZAP/webdriver/linux/64/geckodriver] WARN org.openqa.selenium.os.ExternalProcess - failed to copy the output of process 8443
java.io.IOException: Stream closed
at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:176) ~[?:?]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:289) ~[?:?]
at java.io.BufferedInputStream.read(BufferedInputStream.java:351) ~[?:?]
at java.io.InputStream.transferTo(InputStream.java:704) ~[?:?]
at org.openqa.selenium.os.ExternalProcess$Builder.lambda$start$0(ExternalProcess.java:210) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
767610 [ZAP-ActiveScanner-3] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [ab24dddc-916e-4ba3-af3e-aea50qqa766, findElements {using=tag name, value=div}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:1700, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1725, moz:profile: /tmp/rust_mozprofiletX8H5K, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:1700/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: ab24dwdc-916e-4ba3-af3e-aea5041ww766
794426 [ZAP-ActiveScanner-4] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [8595b8f9-c8ce-412b-952f-af2c12762ecf, findElements {using=tag name, value=div}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:14624, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1938, moz:profile: /tmp/rust_mozprofileNRwcFl, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:14624/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 8595q8f9-c8ce-412b-952f-af2c12wwwcf
Update:
About my question "why a status check api call takes 30 sec and why it repeats this api call multiple time". My automation script was polling status every 30sec. So please ignore this question
The actual issue is during "Cross Site Scripting (DOM Based), Spring4Shell, Remote OS Command Injection", it tries to use selenium and gets timed out and that takes up a lot of time:
488161 [External Process Output Forwarder - /home/zap/.ZAP/webdriver/linux/64/geckodriver] WARN org.openqa.selenium.os.ExternalProcess - failed to copy the output of process 8443
java.io.IOException: Stream closed
at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:176) ~[?:?]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:289) ~[?:?]
at java.io.BufferedInputStream.read(BufferedInputStream.java:351) ~[?:?]
at java.io.InputStream.transferTo(InputStream.java:704) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [ab24dddc-916e-4ba3-af3e-aea50qqa766, findElements {using=tag name, value=div}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:1700, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1725, moz:profile: /tmp/rust_mozprofiletX8H5K, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:1700/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: ab24dwdc-916e-4ba3-af3e-aea5041ww766
794426 [ZAP-ActiveScanner-4] DEBUG org.zaproxy.zap.extension.domxss.DomXssScanRule - org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [8595b8f9-c8ce-412b-952f-af2c12762ecf, findElements {using=tag name, value=div}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:14624, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 1938, moz:profile: /tmp/rust_mozprofileNRwcFl, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:14624/devtoo..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 8595q8f9-c8ce-412b-952f-af2c12wwwcf
Simon Bennetts
Mar 11, 2024, 6:43:22 AM3/11/24
to ZAP User Group
OK, it looks like you're having problems launching Firefox.
Have you updated all of the add-ons, esp the webdrivers?
Cheers,
Simon
dk
Mar 11, 2024, 8:19:51 AM3/11/24
to ZAP User Group
All addons are upto date:
Installed add-ons: [[id=alertFilters, version=19.0.0], [id=ascanrules, version=63.0.0], [id=authhelper, version=0.12.0], [id=automation, version=0.35.0], [id=bruteforce, version=15.0.0], [id=callhome, version=0.10.0], [id=commonlib, version=1.22.0], [id=database, version=0.3.0], [id=diff, version=14.0.0], [id=directorylistv1, version=7.0.0], [id=domxss, version=18.0.0], [id=encoder, version=1.4.0], [id=exim, version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz, version=13.12.0], [id=gettingStarted, version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql, version=0.23.0], [id=help, version=17.0.0], [id=hud, version=0.18.0], [id=invoke, version=14.0.0], [id=network, version=0.14.0], [id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0], [id=openapi, version=39.0.0], [id=postman, version=0.2.0], [id=pscanrules, version=56.0.0], [id=quickstart, version=43.0.0], [id=replacer, version=16.0.0], [id=reports, version=0.29.0], [id=requester, version=7.4.0], [id=retest, version=0.8.0], [id=retire, version=0.32.0], [id=reveal, version=7.0.0], [id=scripts, version=45.0.0], [id=selenium, version=15.19.0], [id=soap, version=21.0.0], [id=spider, version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips, version=12.0.0], [id=webdriverlinux, version=73.0.0], [id=websocket, version=30.0.0], [id=zest, version=43.0.0]]
Installed add-ons: [[id=alertFilters, version=19.0.0], [id=ascanrules, version=63.0.0], [id=authhelper, version=0.12.0], [id=automation, version=0.35.0], [id=bruteforce, version=15.0.0], [id=callhome, version=0.10.0], [id=commonlib, version=1.22.0], [id=database, version=0.3.0], [id=diff, version=14.0.0], [id=directorylistv1, version=7.0.0], [id=domxss, version=18.0.0], [id=encoder, version=1.4.0], [id=exim, version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz, version=13.12.0], [id=gettingStarted, version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql, version=0.23.0], [id=help, version=17.0.0], [id=hud, version=0.18.0], [id=invoke, version=14.0.0], [id=network, version=0.14.0], [id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0], [id=openapi, version=39.0.0], [id=postman, version=0.2.0], [id=pscanrules, version=56.0.0], [id=quickstart, version=43.0.0], [id=replacer, version=16.0.0], [id=reports, version=0.29.0], [id=requester, version=7.4.0], [id=retest, version=0.8.0], [id=retire, version=0.32.0], [id=reveal, version=7.0.0], [id=scripts, version=45.0.0], [id=selenium, version=15.19.0], [id=soap, version=21.0.0], [id=spider, version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips, version=12.0.0], [id=webdriverlinux, version=73.0.0], [id=websocket, version=30.0.0], [id=zest, version=43.0.0]]
Simon Bennetts
Mar 11, 2024, 8:30:35 AM3/11/24
to ZAP User Group
I beg to differ - the latest webdriver add-ons are 74 ...
dk
Mar 11, 2024, 9:25:09 AM3/11/24
to ZAP User Group
webdriverlinux is also getting updated to v74.0.0 through ExtensionAutoUpdate:
9045 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - There is/are 1 newer addons
10097 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon webdriverlinux v74.0.0
10489 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon webdriverlinux v74.0.0
10663 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/webdriverlinux-release-74.zap
10683 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8090
9045 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - There is/are 1 newer addons
10097 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon webdriverlinux v74.0.0
10489 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon webdriverlinux v74.0.0
10663 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/webdriverlinux-release-74.zap
10683 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8090
dk
Mar 18, 2024, 4:39:21 PM3/18/24
to ZAP User Group
any update on this please...
psiinon
Mar 19, 2024, 11:38:48 AM3/19/24
to zaprox...@googlegroups.com
You tell us :)
Based on the error log, is ZAP now able to run Firefox?
--
For commercial support options see https://www.zaproxy.org/support/
ZAP is supported by the Crash Override Open Source Fellowship https://crashoverride.com/open-source
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/bb07f3ce-6481-4426-afcf-feb9f3fe52bdn%40googlegroups.com.
dk
Mar 19, 2024, 12:43:19 PM3/19/24
to ZAP User Group
Its using the latest webdriverlinux-release-75.zap now. But i'm still getting the same errors related to firefox
Simon Bennetts
Mar 21, 2024, 9:56:23 AM3/21/24
to ZAP User Group
It sounds like you're using your own container, or at least not an official ZAP one.
Have you checked thatFirefox is correctly installed?
I _think_ you can test it with a command like this:
- firefox --headless --new-tab https://www.example.com
Cheers,
Simon
dk
Mar 21, 2024, 11:28:43 AM3/21/24
to ZAP User Group
$ firefox --headless --new-tab https://www.example.com
*** You are running in headless mode.
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: No GPUs detected via PCI
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
Docker file used to build image:
FROM ghcr.io/zaproxy/zaproxy:stable
USER root
ADD mydefault.policy /home/zap/.ZAP/policies/mydefault.policy
RUN chown zap:zap /zap -R
RUN chown zap:zap /home/zap -R
RUN chmod 777 /zap -R
RUN chmod 777 /home/zap -R
USER zap
EXPOSE 8090
*** You are running in headless mode.
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: No GPUs detected via PCI
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
Docker file used to build image:
FROM ghcr.io/zaproxy/zaproxy:stable
USER root
ADD mydefault.policy /home/zap/.ZAP/policies/mydefault.policy
RUN chown zap:zap /zap -R
RUN chown zap:zap /home/zap -R
RUN chmod 777 /zap -R
RUN chmod 777 /home/zap -R
USER zap
EXPOSE 8090
Simon Bennetts
Mar 22, 2024, 11:58:15 AM3/22/24
to ZAP User Group
Strange - I cant see anything obviously wrong.
What happens when you use one of our images directly?
You dont actually need to create your own image if you just want to use a policy file, you can mount a directory containing that.
Cheers,
Simon
Simon Bennetts
Mar 22, 2024, 12:19:05 PM3/22/24
to ZAP User Group
Also, can you confirm exactly which errors you are getting with the latest webdrivers?
dk
Mar 25, 2024, 2:56:48 PM3/25/24
to ZAP User Group
Cannot use the image as such in openshift due to access issues
I'm getting the same error as before like:
-----------------
283804 [ZAP-AjaxSpiderApi] DEBUG org.zaproxy.zap.extension.spiderAjax.SpiderThread - Setting up a Browser
285407 [ZAP-IO-Server-1-7] DEBUG org.zaproxy.zap.extension.spiderAjax.SpiderThread - Excluding request [https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=115.8&pver=2.2] not in specified context.
286081 [External Process Output Forwarder - /home/zap/.ZAP/webdriver/linux/64/geckodriver] WARN org.openqa.selenium.os.ExternalProcess - failed to copy the output of process 668
java.io.IOException: Stream closed
at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:176) ~[?:?]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:289) ~[?:?]
at java.io.BufferedInputStream.read(BufferedInputStream.java:351) ~[?:?]
at java.io.InputStream.transferTo(InputStream.java:704) ~[?:?]
at org.openqa.selenium.os.ExternalProcess$Builder.lambda$start$0(ExternalProcess.java:210) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
------------------
1202914 [ZAP-ActiveScanner-15] ERROR org.zaproxy.zap.extension.domxss.DomXssScanRule - Tried to run command without establishing a connection
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [fa9c2d5f-8831-44a5-99aa-8eaa82147543, get {url=about:blank}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:8223, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 16398, moz:profile: /tmp/rust_mozprofileu8uv8u, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:8223/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fa9c2d5f-8831-44a5-99aa-8eaa82147543
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:8223, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 16398, moz:profile: /tmp/rust_mozprofileu8uv8u, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:8223/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fa9c2d5f-8831-44a5-99aa-8eaa82147543
at jdk.internal.reflect.GeneratedConstructorAccessor204.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
at org.openqa.selenium.remote.ErrorCodec.decode(ErrorCodec.java:167) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:138) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:50) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:190) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:216) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:174) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:519) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:301) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:356) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:663) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:369) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
I'm getting the same error as before like:
-----------------
283804 [ZAP-AjaxSpiderApi] DEBUG org.zaproxy.zap.extension.spiderAjax.SpiderThread - Setting up a Browser
285407 [ZAP-IO-Server-1-7] DEBUG org.zaproxy.zap.extension.spiderAjax.SpiderThread - Excluding request [https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=115.8&pver=2.2] not in specified context.
286081 [External Process Output Forwarder - /home/zap/.ZAP/webdriver/linux/64/geckodriver] WARN org.openqa.selenium.os.ExternalProcess - failed to copy the output of process 668
java.io.IOException: Stream closed
at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:176) ~[?:?]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:289) ~[?:?]
at java.io.BufferedInputStream.read(BufferedInputStream.java:351) ~[?:?]
at java.io.InputStream.transferTo(InputStream.java:704) ~[?:?]
at org.openqa.selenium.os.ExternalProcess$Builder.lambda$start$0(ExternalProcess.java:210) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
1202914 [ZAP-ActiveScanner-15] ERROR org.zaproxy.zap.extension.domxss.DomXssScanRule - Tried to run command without establishing a connection
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:8223, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 16398, moz:profile: /tmp/rust_mozprofileu8uv8u, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:8223/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fa9c2d5f-8831-44a5-99aa-8eaa82147543
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: '4.18.1', revision: 'b1d3319b48'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [fa9c2d5f-8831-44a5-99aa-8eaa82147543, get {url=about:blank}]System info: os.name: 'Linux', os.arch: 'amd64', os.version: '4.18.0-477.27.1.el8_8.x86_64', java.version: '11.0.22'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 115.8.0, moz:accessibilityChecks: false, moz:buildID: 20240212204114, moz:debuggerAddress: 127.0.0.1:8223, moz:geckodriverVersion: 0.34.0, moz:headless: true, moz:platformVersion: 4.18.0-477.27.1.el8_8.x86_64, moz:processID: 16398, moz:profile: /tmp/rust_mozprofileu8uv8u, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:cdp: ws://127.0.0.1:8223/devtool..., se:cdpVersion: 85.0, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: fa9c2d5f-8831-44a5-99aa-8eaa82147543
at jdk.internal.reflect.GeneratedConstructorAccessor204.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:138) ~[?:?]
at org.openqa.selenium.remote.codec.w3c.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:50) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:190) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:216) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:174) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:519) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:301) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:356) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:663) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:369) [zap-2.14.0.jar:2.14.0]
at java.lang.Thread.run(Thread.java:829) [?:?]
Simon Bennetts
Mar 28, 2024, 11:01:15 AM3/28/24
to ZAP User Group
Update all of the add-ons and try again.
We've just updated selenium so that might fix it?
Cheers,
Simon
dk
Apr 1, 2024, 9:40:32 AM4/1/24
to ZAP User Group
Updated all of the add-ons:
org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon selenium v15.20.0
org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon webdriverlinux v77.0.0
org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon webdriverlinux v77.0.0
But, Still getting the same errors
thc...@gmail.com
Apr 1, 2024, 10:11:10 AM4/1/24
to zaprox...@googlegroups.com
Attach the whole log, from start of ZAP to shutdown.
Best regards.
On 01/04/2024 14:40, dk wrote:
> Updated all of the add-ons:
> org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished
> installing new addon selenium v15.20.0
> org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished
> installing new addon webdriverlinux v77.0.0
>
> *But, Still getting the same errors*
>>>>>> *Docker file used to build image:*
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *FROM ghcr.io/zaproxy/zaproxy:stable
>>>>>> <http://ghcr.io/zaproxy/zaproxy:stable>USER rootADD mydefault.policy
>>>>>> /home/zap/.ZAP/policies/mydefault.policyRUN chown zap:zap /zap -RRUN chown
>>>>>> zap:zap /home/zap -RRUN chmod 777 /zap -RRUN chmod 777 /home/zap -RUSER
>>>>>> zapEXPOSE 8090*
>>>>>>>>>>>>>>>>> *But the original issue is still there. *
>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/bb07f3ce-6481-4426-afcf-feb9f3fe52bdn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>
>
Best regards.
On 01/04/2024 14:40, dk wrote:
> Updated all of the add-ons:
> org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished
> installing new addon selenium v15.20.0
> org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished
> installing new addon webdriverlinux v77.0.0
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *FROM ghcr.io/zaproxy/zaproxy:stable
>>>>>> <http://ghcr.io/zaproxy/zaproxy:stable>USER rootADD mydefault.policy
>>>>>> /home/zap/.ZAP/policies/mydefault.policyRUN chown zap:zap /zap -RRUN chown
>>>>>> zap:zap /home/zap -RRUN chmod 777 /zap -RRUN chmod 777 /home/zap -RUSER
>>>>>> zapEXPOSE 8090*
>>>>>>
>>>>>> On Thursday, March 21, 2024 at 10:56:23 AM UTC-3 psi...@gmail.com
>>>>>> wrote:
>>>>>>
>>>>>>> It sounds like you're using your own container, or at least not an
>>>>>>> official ZAP one.
>>>>>>> Have you checked thatFirefox is correctly installed?
>>>>>>>
>>>>>>> I _think_ you can test it with a command like this:
>>>>>>>
>>>>>>> - firefox --headless --new-tab https://www.example.com
>>>>>> On Thursday, March 21, 2024 at 10:56:23 AM UTC-3 psi...@gmail.com
>>>>>> wrote:
>>>>>>
>>>>>>> It sounds like you're using your own container, or at least not an
>>>>>>> official ZAP one.
>>>>>>> Have you checked thatFirefox is correctly installed?
>>>>>>>
>>>>>>> I _think_ you can test it with a command like this:
>>>>>>>
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>
>
dk
Apr 2, 2024, 3:10:45 PM4/2/24
to ZAP User Group
Unfortunately, i'm not allowed to share the whole logs. Please check the previous posts for part-logs
Simon Bennetts
Apr 5, 2024, 12:44:10 PM4/5/24
to ZAP User Group
The previous logs might be different as you have updated your add-ons.
And you might not have shared everything we need - we don't know what else is in the logs.
If you cannot share the information we need then we might not be able to help you.
Note that there are commercial support options available, assuming that you can share details if a contract is in place: https://www.zaproxy.org/support/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages