How to use the spiderViewStatus Java API of OWASP ZAP to get the status/percentage of work done by the Spider?

Question

I was following the API documentation of Using Spider. The Java based code block works great and I get an output.

• Code:

  import java.util.List;
  
  import org.zaproxy.clientapi.core.ApiResponse;
  import org.zaproxy.clientapi.core.ApiResponseElement;
  import org.zaproxy.clientapi.core.ApiResponseList;
  import org.zaproxy.clientapi.core.ClientApi;
  
  public class SpiderViewStatus {
  
      private static final String ZAP_ADDRESS = "localhost";
      private static final int ZAP_PORT = 8080;
      // Change to match the API key set in ZAP, or use NULL if the API key is disabled
      private static final String ZAP_API_KEY = "93tpvc1c5ek2b94arh0e7c8he";
      // The URL of the application to be tested
      private static final String TARGET = "https://public-firing-range.appspot.com";
      //private static final String TARGET = "http://localhost:3000"; //Juice Shop
  
      public static void main(String[] args) {
      ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
  
      try {
          // Start spidering the target
          System.out.println("Spidering target : " + TARGET);
          ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
          String scanID;
          int progress;
  
          // The scan returns a scan id to support concurrent scanning
          scanID = ((ApiResponseElement) resp).getValue();
          // Poll the status until it completes
          while (true) {
              Thread.sleep(1000);
              progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
              System.out.println("Spider progress : " + progress + "%");
              if (progress >= 100) {
                  break;
              }
          }
          System.out.println("Spider completed");
          // If required post process the spider results
                List<ApiResponse> spiderResults = ((ApiResponseList)
                api.spider.results(scanID)).getItems(); for (ApiResponse
                spiderResult:spiderResults) System.out.println(spiderResult);
  
          // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
  
      } catch (Exception e) {
          System.out.println("Exception : " + e.getMessage());
          e.printStackTrace();
      }
      }
  }
  

• Output:

  Spidering target : https://public-firing-range.appspot.com
  Spider progress : 0%
  Spider progress : 66%
  Spider progress : 100%
  Spider completed
  https://public-firing-range.appspot.com/sitemap.xml
  https://public-firing-range.appspot.com/robots.txt
  https://public-firing-range.appspot.com
  

---

Within the View Status section it is also mentions to execute the status API to get the status/percentage of work done by the Spider. However when I append the code block of spiderViewStatus :

• Code Block:

  System.out.println("Spider completed");
  // If required post process the spider results
  
  //spiderViewStatus: https://www.zaproxy.org/docs/api/#spiderviewstatus
  URL obj = new URL("http://zap/JSON/spider/view/status/");
  HttpURLConnection con = (HttpURLConnection) obj.openConnection();
  con.setRequestMethod("GET");
  int responseCode = con.getResponseCode();
  BufferedReader in = new BufferedReader(
  new InputStreamReader(con.getInputStream()));
  String inputLine;
  StringBuffer response = new StringBuffer();
  while ((inputLine = in.readLine()) != null) {
  response.append(inputLine);
  }
  in.close();
  System.out.println(response.toString());
  
  // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
  

I am facing java.net.UnknownHostException: zap as follows:

• Error stacktrace:

  Spidering target : https://public-firing-range.appspot.com
  Spider progress : 66%
  Spider progress : 100%
  Spider completed
  Exception : zap
  java.net.UnknownHostException: zap
      at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
      at java.net.PlainSocketImpl.connect(Unknown Source)
      at java.net.SocksSocketImpl.connect(Unknown Source)
      at java.net.Socket.connect(Unknown Source)
      at java.net.Socket.connect(Unknown Source)
      at sun.net.NetworkClient.doConnect(Unknown Source)
      at sun.net.www.http.HttpClient.openServer(Unknown Source)
      at sun.net.www.http.HttpClient.openServer(Unknown Source)
      at sun.net.www.http.HttpClient.<init>(Unknown Source)
      at sun.net.www.http.HttpClient.New(Unknown Source)
      at sun.net.www.http.HttpClient.New(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at java.net.HttpURLConnection.getResponseCode(Unknown Source)
      at ZAP_tests.SpiderViewStatus.main(SpiderViewStatus.java:52)
  

I have tried to replace http://zap/JSON/spider/view/status/ with http://localhost:8080/JSON/spider/view/status/ still the same error.

Can anyone help me out please?

Answer 1

You are already calling that endpoint in your initial code using api.spider.status(scanID)

The http://zap/ host only works if you are proxying through ZAP, which you don't appear to be in your second section of code.