OWASP Zap docker CASA full-scan - Bad request to API endpoint [/JSON/spider/action/scanAsUser/]

[Lei]

Hello,

I am attempting to run the dynamic scan according to the instructions on appdefense alliance's website for CASA security assessment. I have also referred to the owasp zap docker documentation, but I see the following issues:
Traceback (most recent call last):
  File "/zap/zap-full-scan.py", line 357, in main
    zap_spider(zap, target)
  File "/zap/zap_common.py", line 108, in _wrap
    return_data = func(*args_list, **kwargs)
  File "/zap/zap_common.py", line 424, in zap_spider
    raise_scan_not_started()
  File "/zap/zap_common.py", line 411, in raise_scan_not_started
    raise ScanNotStartedException('Failed to start the scan, check the log/output for more details.')
zap_common.ScanNotStartedException: Failed to start the scan, check the log/output for more details.
...
...
8708 [ZAP-daemon] INFO  org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8080
12390 [ZAP-IO-Server-1-2] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/spider/action/scanAsUser/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: MISSING_PARAMETER (url)

I have followed these steps:

1. Use Owasp Zap desktop app to create my context with JSON-based auth, according to the instructions here
2. Created two users: verified and unverified in the context, and exported the file
   
3. cd into the folder containing my .context file and zap-casa-config.conf
4. Run this command:
   docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://www.myappdomain.ca -P 8080 -c zap-casa-config.conf -x results-full.xml -n ./DastContext.context -U verified
   (I also tried -n /zap/wrk/DastContext.context to no avail, and tried removing -P 8080 but it didn't help)

I am required to complete this scan for work, but I am unfamiliar with this software. I'm trying to understand from the documentation what I could have missed, I just keep getting this error. I tried also running the app locally but I encountered even more issues.

Not sure where to go from here, any help would be greatly appreciated! Thanks.

[Simon Bennetts]

Hiya,

See https://www.zaproxy.org/docs/docker/diagnosing-problems/

I would have expected using "/zap/wrk/DastContext.context" to have worked.

Hopefully the zap.log file will given more details of what went wrong.

Feel free to post the log here, redacting anything sensitive.

Cheers,

Simon

[Lei]

Thanks for your response. It seems there was step missing, once I added a URL regex then the scan worked. However, when the scan is complete, no xml report file is being generated. I tried using the live image as well to see if that would produce a report, but I can't find any .xml file. I expect it to be saved in the current folder where I ran the docker command. Is that an accurate assumption?

[Lei]

I sorted out my issue with the report not being generated, it was a directory permissions issue. Thanks!

On Tuesday, August 1, 2023 at 1:08:51 a.m. UTC-6 psi...@gmail.com wrote:

[psiinon]

Thanks for letting us know!

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f86a1bea-afdd-4311-af7d-24f536c37208n%40googlegroups.com.

--

ZAP Project leader