owasp/zap2docker-stable Automation Framework generating blank report

302 views
Skip to first unread message

nishan...@gmail.com

unread,
Jun 26, 2022, 3:44:28 PM6/26/22
to OWASP ZAP User Group
Hello,
I am facing a weird issue while using Automation Framework in owasp/zap2docker-stable docker container..

My plan performs a basic passive scan (against a context) and generates a report.

With ZAP desktop app on my local machine, everything works fine and the report is generated successfully of the passive scan..

However, when I perform the exact same steps via docker, an empty report gets generated...The plan does run successfully but an empty report gets generated
Note:- Urls do get captured in ZAP before running the plan

Below is how my plan yaml looks like :-

---
env:
contexts:
- name: "MyAmazingContext.context"
urls:
includePaths: []
excludePaths: []
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters: {}
name: "alertFilter"
type: "alertFilter"
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
template: "modern"
theme: "console"
reportDir: "/zap/wrk"
reportFile: "testReport.html"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
displayReport: false
risks:
- "low"
- "medium"
- "high"
confidences:
- "low"
- "medium"
- "high"
- "confirmed"
sections:
- "passingrules"
- "instancecount"
- "alertdetails"
- "alertcount"
- "params"
- "chart"
- "statistics"
name: "report"
type: "report"

Thanks,
Nishant Shah

Hector Luna

unread,
Jun 26, 2022, 4:41:35 PM6/26/22
to OWASP ZAP User Group
I had this very same issue when I started doing this. You will have to use something like the weekly release in order to get the reports to populate properly.
Hope that helps.

kingthorin+owaspzap

unread,
Jun 26, 2022, 5:34:54 PM6/26/22
to OWASP ZAP User Group
What action did you execute/include that would gave generated alerts? I don't see one.

nishan...@gmail.com

unread,
Jun 27, 2022, 12:51:05 AM6/27/22
to OWASP ZAP User Group
Thanks for replying.
I will explain in detail what I am doing and how I am capturing actions..

Basically I want to integrate UI automation tool like Selenium/Cypress and ZAP..
So, this is what I am doing :-

1. Launching ZAP via docker container using the command :-
docker run -v $(pwd):/zap/wrk/:rw -u zap -p 8081:8081 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8081 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true

2. Execute cypress tests by providing a proxy port :- 8081 -- so that all the tests are parsed through 8081 where ZAP is running/listening...The base url of this cypress test is https://mytesturl.com

3. I can see the traffic been captured via ZAP (command line)

4. Now, I run the above mentioned Automation Framework Plan...Again mentioning it below :-
5. The report does get generated but its totally empty..

If I perform the same steps via ZAP desktop on my local...everything works fine
So, I am a bit confused..

Thanks,
Nishant Shah

Simon Bennetts

unread,
Jun 27, 2022, 2:51:32 AM6/27/22
to OWASP ZAP User Group
Hiya Nishant,

That sounds like a bug.

Cheers,

Simon

nishan...@gmail.com

unread,
Jun 29, 2022, 3:32:49 PM6/29/22
to OWASP ZAP User Group
Thanks for the reply Simon.
Following is what I see in the log file. Cannot deduce much from the logs TBH whether its a bug or not.
Please let me know if you can figure out more from the below logs. Thanks in advance!

2022-06-29 19:22:04,972 [main ] INFO  CommandLine - Job: alertFilter Added context filter for context: MyAmazingContext.context alertId: 1 new risk: False Positive

2022-06-29 19:22:04,977 [main ] INFO  CommandLine - Job alertFilter finished

2022-06-29 19:22:04,982 [main ] INFO  CommandLine - Job passiveScan-config started

2022-06-29 19:22:04,986 [main ] INFO  CommandLine - Job passiveScan-config finished

2022-06-29 19:22:04,987 [main ] INFO  CommandLine - Job passiveScan-wait started

2022-06-29 19:22:05,004 [main ] INFO  CommandLine - Job passiveScan-wait finished

2022-06-29 19:22:05,009 [main ] INFO  CommandLine - Job report started

2022-06-29 19:22:08,178 [main ] INFO  CommandLine - Job report generated report /zap/wrk/testReport.html

2022-06-29 19:22:08,184 [main ] INFO  CommandLine - Job report finished

2022-06-29 19:22:08,189 [main ] INFO  CommandLine - Automation plan warnings:

2022-06-29 19:22:08,190 [main ] INFO  CommandLine -     Unrecognised parameter for job alertFilter : deleteGlobalAlerts

2022-06-29 19:22:08,193 [main ] INFO  Control - Automation Framework setting exit status to due to plan warnings

2022-06-29 19:22:13,921 [main ] INFO  ENGINE - dataFileCache commit start

2022-06-29 19:22:13,925 [main ] INFO  ENGINE - dataFileCache commit end

2022-06-29 19:22:13,934 [main ] INFO  ENGINE - Database closed

2022-06-29 19:22:14,052 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 terminated.

2022-06-29 19:22:33,208 [ZAP-ProxyThread-471] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8&gsessionid=XNNgpZeIaBbKLxUqVRw-mV1uoiD9ifQc8gi9OqQ06MU&key=AIzaSyAWGrfCCr7albM3lmCc937gx4uIphbpeKQ&RID=rpc&SID=A_tkvsG_vcxO24Yy5lwNXg&CI=0&AID=0&TYPE=xmlhttp&zx=w3ibilcw5bak&t=2 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:22:47,563 [ZAP-ProxyThread-524] WARN  ProxyThread - Failed to read https://chat.google.com/u/0/webchannel/events?VER=8&RID=rpc&SID=3_6Z5mz1pAxyE_ubwZq32g&CI=1&AID=3&TYPE=xmlhttp&zx=vcb0uovd1md6&t=1 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:22:50,798 [ZAP-ProxyThread-527] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8&gsessionid=VBkuaUwsMl4aa41HUqD-tS4FUCYnC1pjTyAiJ7-wnng&key=AIzaSyCIMH2ks6VPAfRC2lqU_Snz1Lo76XGdnlc&RID=rpc&SID=U-7fAyfkIoFMAuXtpxOYsA&CI=0&AID=0&TYPE=xmlhttp&zx=758m4smpem63&t=4 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:23:11,733 [ZAP-ProxyThread-536] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8&gsessionid=XNNgpZeIaBbKLxUqVRw-mV1uoiD9ifQc8gi9OqQ06MU&key=AIzaSyAWGrfCCr7albM3lmCc937gx4uIphbpeKQ&RID=rpc&SID=A_tkvsG_vcxO24Yy5lwNXg&CI=0&AID=0&TYPE=xmlhttp&zx=7jjyknin1xk&t=3 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:23:19,444 [ZAP-ProxyThread-549] WARN  ProxyThread - Timeout reading (client) message after CONNECT to www.google.com:443

2022-06-29 19:23:20,797 [ZAP-ProxyThread-527] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/v1/chooseServer?key=AIzaSyCIMH2ks6VPAfRC2lqU_Snz1Lo76XGdnlc within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:23:49,459 [ZAP-ProxyThread-562] WARN  ProxyThread - Failed to read https://chat.google.com/u/0/webchannel/events?VER=8&RID=rpc&SID=gsi9ExV9rkCeskgM3QWnYg&CI=1&AID=3&TYPE=xmlhttp&zx=6s7gr63a4hqg&t=1 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:23:54,894 [ZAP-ProxyThread-565] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8&gsessionid=XNNgpZeIaBbKLxUqVRw-mV1uoiD9ifQc8gi9OqQ06MU&key=AIzaSyAWGrfCCr7albM3lmCc937gx4uIphbpeKQ&RID=rpc&SID=A_tkvsG_vcxO24Yy5lwNXg&CI=0&AID=0&TYPE=xmlhttp&zx=btbj3gqdxmwg&t=4 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:23:56,311 [ZAP-ProxyThread-536] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8&gsessionid=pEA1YZcY4vWvg8_02ZLDKtsiJQwxKZNV9hRzoKP2Res&key=AIzaSyCIMH2ks6VPAfRC2lqU_Snz1Lo76XGdnlc&RID=rpc&SID=tDLpvOs5C0gtBIlfXLQvlQ&CI=0&AID=0&TYPE=xmlhttp&zx=yl64qgqa5cws&t=1 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:24:24,979 [ZAP-ProxyThread-565] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/v1/chooseServer?key=AIzaSyAWGrfCCr7albM3lmCc937gx4uIphbpeKQ within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

2022-06-29 19:24:37,376 [ZAP-ProxyThread-536] WARN  ProxyThread - Failed to read https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8&gsessionid=pEA1YZcY4vWvg8_02ZLDKtsiJQwxKZNV9hRzoKP2Res&key=AIzaSyCIMH2ks6VPAfRC2lqU_Snz1Lo76XGdnlc&RID=rpc&SID=tDLpvOs5C0gtBIlfXLQvlQ&CI=0&AID=0&TYPE=xmlhttp&zx=b1fz1mcgji8s&t=2 within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.


Thanks & Regards,

Nishant Shah

Simon Bennetts

unread,
Jul 1, 2022, 3:31:18 AM7/1/22
to OWASP ZAP User Group
Hi Nishant,

Sorry, I've only just looked at your AF plan in detail.
You are not actually exploring the app in your plan - thats why the report is empty :/
You configure the passive scanner and wait for it, but the passive scanner will not do anything on its own.
You need to explore the app before waiting for the passive scanner to complete, eg using one or both of the spider jobs, or importing an API definition.

Cheers,

Simon

nishan...@gmail.com

unread,
Jul 1, 2022, 3:53:26 AM7/1/22
to OWASP ZAP User Group
Thanks Simon.
Is it mandatory to explore/spider the app in my plan itself?
What I am doing is...
1. I run ZAP in daemon mode via docker
2. I explore the app manually
3. I run the plan from command line via docker

I am expecting the plan to pickup the exploration happened in step 2...
Same thing if I do from ZAP desktop app, it works. So, I was expecting it to work via docker as well..

Thanks,
Nishant Shah

Simon Bennetts

unread,
Jul 1, 2022, 3:59:34 AM7/1/22
to OWASP ZAP User Group
Yeah, but I suspect you are not doing _exactly_ the same things :)
When you're running from the desktop I'm guessing you are waiting for the Cypress tests to finish?
Thats not what you've told the plan to do.
The plan will just run straight through, probably before your tests even start.
I think that might be what you need.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages