0

I'm trying to use zap proxy via Docker Pulled it down with:

 docker pull owasp/zap2docker-stable

Ran it with the command described in "Accessing the API from outside of the Docker container" section:

 docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0

But I don't seem to be able to be able to connect to it. When I run docker inspect <CONTAINER ID> | grep IPAddress I'm getting 172.17.0.2 (EDIT: I can a scan to run and it took me changing ZAP_SERVER_PROXY from 172.17.0.2:8090 to 0.0.0.0:8090 on Mac so editing that into code example below). So the start of my script looks like:

import os
import time
from pprint import pprint
from zapv2 import ZAPv2

BASE_URL = os.getenv('BASE_URL', 'https://example.appspot.com/')
ZAP_SERVER_PROXY = os.getenv('ZAP_SERVER_PROXY', '0.0.0.0:8090')
API_KEY = ''

zap = ZAPv2(
    # apikey=API_KEY,
    proxies={
        'http': "http://%s" % ZAP_SERVER_PROXY,
        'https': "https://%s" % ZAP_SERVER_PROXY
    }
)

Just trying to run it through terminal using python right now and keep getting connection refused errors. Also I've tried it with the API_KEY parts commented out as well, does anyone know where you find that don't see it in the documentation.

Note: I'm on macos but running docker-machine ip default doesn't do anything, so not sure how to get at bottom of linked page and new to docker. Modeled the test after their own example. Running in a virtualenv -p python3 env not sure if that is effecting it.

Cynic
  • 6,779
  • 2
  • 30
  • 49

2 Answers2

3

Also, you will need to disable ip filtering - see here for details on how to do that, basically just use the following:

docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

Be careful as it will allow connections from any ip to Zaproxy, which is fine while running it in isolated docker container.

Omer Levi Hevroni
  • 1,935
  • 1
  • 15
  • 33
  • Thank you for linking to documentation. I'm on Mac OSX sierra, pip installed python-owasp-zap-v2.4==0.0.11, and running latest version of owasp/zap2docker-stable (2.6.0). I think this issue (https://github.com/zaproxy/zaproxy/issues/1686) may have been closed incorrectly because it doesn't work with ```-config api.disablekey=true``` but will work with ```-config api.key=9203935709``` argument if I uncomment ```apikey=API_KEY,``` in my script and use the matching api key. Will you please change answer to suggest trying that if api.disablekey=true doesn't work. – Cynic Jul 11 '17 at 17:01
  • I am now reading carefuly your question, I am suspecting this might be docker issue, and not zaproxy issue. I personally running Zaproxy using the command above and it is working - connecting succesfully. Did you check that you can open tcp connection to zapproxy? try `nc -vz 0.0.0.0 8090`. Also, you can use docker for mac - and then you don't need the docker-machine anymore... – Omer Levi Hevroni Jul 11 '17 at 17:56
  • ```nc -vz 0.0.0.0 8090``` succeeds and I am running the image using docker for mac. If I run ```docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true api.addrs.addr.name=.* -config api.addrs.addr.regex=true``` and then trigger script above with the API keys commented out I get this error: – Cynic Jul 11 '17 at 18:09
  • You forgot a ```-config``` flag in front of ```api.addrs.addr.name=.*```. If you run: ```docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true``` it works. Please edit – Cynic Jul 11 '17 at 18:16
  • Thanks, sorry - I was just looking in my answer wonder why it is not working. Editted the answer. – Omer Levi Hevroni Jul 11 '17 at 18:18
1

As you've commented out the API key parameter in your script,try invoking zap daemon with -config api.disablekey=true.

docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true

vishnu narayanan
  • 3,813
  • 2
  • 24
  • 28