0

I recently encountered an issue using zap-cli, I'm trying to do the same thing than at: https://www.zaproxy.org/docs/api/?python#script-based-authentication In other words scanning dvwa docker container using zap in CLI mode.

I imported the context with:

zap-cli context import ContexteDef.context

(if I try to import it again with the same command I have an IllegalContextNameException error saying "A context with the given name [Contexte par défaut] already exists." So I guess the context import was successful).

My issue is that I have this error when launching the scan:

zap@1a609067e22f:/zap$ zap-cli active-scan -c "Contexte par défaut" -u Administrator http://localhost:3000
(context = contexte name, not the .context file name)
[INFO]            Running an active scan...
2169242 [ZAP-ProxyThread-419] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scanAsUser/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: url_not_found
        at org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:913) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:369) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
        at java.lang.Thread.run(Thread.java:829) [?:?]
[ERROR]     Error running active scan: "url_not_found". Make sure the URL is in the site tree by using the open-url or scanner commands before running an active scan.

The context I use is ContexteDef.context (see the file after the error message). It contains the URL I'm trying to scan:

>      <incregexes>http://localhost:3000.*</incregexes>
>         <excregexes>\Qhttp://localhost:3000/login.php\E</excregexes>
>         <excregexes>\Qhttp://localhost:3000/logout.php\E</excregexes>
>         <excregexes>\Qhttp://localhost:3000/setup.php\E</excregexes>
>         <excregexes>\Qhttp://localhost:3000/security.php\E</excregexes>

I build it following the tutorial and exported it from ZAP UI.

More info:

I used the following command to launch zap:

zap-x.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true -config view.mode=attack & 2>/dev/null

I'm using the given authentication script given: here https://github.com/zaproxy/zap-api-docs/blob/master/source/scripts/auth-dvwa.js

I load the authentication script using interactive zap-cli as follow:

zap@1a609067e22f:/zap$ zap-cli scripts load
Name: authDvwa
Script type: websocketpassive
Engine: ECMAScript : Oracle Nashorn
File path: /zap/authDvwa.js
[INFO] Script "authWS" loaded

I enabled it so I guess it's recognized by zap:

zap@b4ad1ea15b49:/zap$ zap-cli scripts enable authDvwa
[INFO]            Script "authDvwa" enabled

When running the following command as suggested:

zap@b4ad1ea15b49:/zap$ zap-cli open-url http://localhost:3000

I get the following error :

[INFO]            Accessing URL http://localhost:3000 4218009 [ZAP-ProxyThread-875] INFO  org.zaproxy.zap.users.User - Authenticating user: Administrator Traceback (most recent call last):  File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 703, in urlopen 4218009 [ZAP-ProxyThread-875] ERROR org.zaproxy.zap.ZAP.UncaughtExceptionLogger - Exception in thread "ZAP-ProxyThread-875" java.lang.NullPointerException: null
        at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType.getScriptInterface(ScriptBasedAuthenticationMethodType.java:789) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType.access$100(ScriptBasedAuthenticationMethodType.java:81) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType$ScriptBasedAuthenticationMethod.authenticate(ScriptBasedAuthenticationMethodType.java:272) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.users.User.authenticate(User.java:271) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:170) ~[zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:596) ~[zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585) ~[zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:490) ~[zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:460) ~[zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:562) ~[zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) ~[zap-2.11.1.jar:2.11.1]
        at java.lang.Thread.run(Thread.java:829) [?:?]
    httplib_response = self._make_request(   File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 449, in _make_request
    six.raise_from(e, None)   File "<string>", line 3, in raise_from   File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 444, in _make_request
    httplib_response = conn.getresponse()   File "/usr/lib/python3.8/http/client.py", line 1348, in getresponse
    response.begin()   File "/usr/lib/python3.8/http/client.py", line 316, in begin
    version, status, reason = self._read_status()   File "/usr/lib/python3.8/http/client.py", line 285, in _read_status
    raise RemoteDisconnected("Remote end closed connection without" http.client.RemoteDisconnected: Remote end closed connection without response

During handling of the above exception, another exception occurred:

Traceback (most recent call last):   File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 440, in send
    resp = conn.urlopen(   File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 785, in urlopen
    retries = retries.increment(   File "/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with url: http://localhost:3000/ (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):   File "/usr/local/bin/zap-cli", line 8, in <module>
    sys.exit(cli())   File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 664, in
__call__
    return self.main(*args, **kwargs)   File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)   File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))   File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)   File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)   File "/usr/local/lib/python3.8/dist-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)   File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)   File "/usr/local/lib/python3.8/dist-packages/zapcli/cli.py", line 105, in open_url
    zap_helper.open_url(url)   File "/usr/local/lib/python3.8/dist-packages/zapcli/zap_helper.py", line 136, in open_url
    self.zap.urlopen(url)   File "/usr/local/lib/python3.8/dist-packages/zapv2/__init__.py", line 155, in urlopen
    return requests.get(url, proxies=self.__proxies, verify=False, *args, **kwargs).text   File "/usr/local/lib/python3.8/dist-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)   File "/usr/local/lib/python3.8/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)   File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 529, in request
    resp = self.send(prep, **send_kwargs)   File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 645, in send
    r = adapter.send(request, **kwargs)   File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 513, in send
    raise ProxyError(e, request=request) requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with url: http://localhost:3000/ (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))

Here is ContexteDef.context file:

<context>
    <name>Contexte par défaut</name>
    <desc/>
    <inscope>true</inscope>
    <incregexes>http://localhost:3000.*</incregexes>
    <excregexes>\Qhttp://localhost:3000/login.php\E</excregexes>
    <excregexes>\Qhttp://localhost:3000/logout.php\E</excregexes>
    <excregexes>\Qhttp://localhost:3000/setup.php\E</excregexes>
    <excregexes>\Qhttp://localhost:3000/security.php\E</excregexes>
    <tech>
        <include>Db</include>
        <include>Db.CouchDB</include>
        <include>Db.Firebird</include>
        <include>Db.HypersonicSQL</include>
        <include>Db.IBM DB2</include>
        <include>Db.Microsoft Access</include>
        <include>Db.Microsoft SQL Server</include>
        <include>Db.MongoDB</include>
        <include>Db.MySQL</include>
        <include>Db.Oracle</include>
        <include>Db.PostgreSQL</include>
        <include>Db.SAP MaxDB</include>
        <include>Db.SQLite</include>
        <include>Db.Sybase</include>
        <include>Language</include>
        <include>Language.ASP</include>
        <include>Language.C</include>
        <include>Language.JSP/Servlet</include>
        <include>Language.Java</include>
        <include>Language.Java.Spring</include>
        <include>Language.JavaScript</include>
        <include>Language.PHP</include>
        <include>Language.Python</include>
        <include>Language.Ruby</include>
        <include>Language.XML</include>
        <include>OS</include>
        <include>OS.Linux</include>
        <include>OS.MacOS</include>
        <include>OS.Windows</include>
        <include>SCM</include>
        <include>SCM.Git</include>
        <include>SCM.SVN</include>
        <include>WS</include>
        <include>WS.Apache</include>
        <include>WS.IIS</include>
        <include>WS.Tomcat</include>
    </tech>
    <urlparser>
        <class>org.zaproxy.zap.model.StandardParameterParser</class>
        <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
    </urlparser>
    <postparser>
        <class>org.zaproxy.zap.model.StandardParameterParser</class>
        <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
    </postparser>
    <authentication>
        <type>4</type>
        <strategy>EACH_RESP</strategy>
        <pollurl/>
        <polldata/>
        <pollheaders/>
        <pollfreq>60</pollfreq>
        <pollunits>REQUESTS</pollunits>
        <loggedin>\Q&lt;a href="logout.php"&gt;Logout&lt;/a&gt;\E</loggedin>
        <loggedout> (?:Location: [./]*login\.php)|(?:\Q&lt;form action="login.php" method="post"&gt;\E)</loggedout>
        <script>
            <name>authDvwa</name>
            <params>TG9naW5fVVJM:aHR0cDovL2xvY2FsaG9zdDozMDAwL2xvZ2luLnBocA==&amp;Q1NSRl9GaWVsZA==:dXNlcl90b2tlbg==&amp;UE9TVF9EYXRh:dXNlcm5hbWU9eyV1c2VybmFtZSV9JnBhc3N3b3JkPXslcGFzc3dvcmQlfSZMb2dpbj1Mb2dpbiZ1c2VyX3Rva2VuPXsldXNlcl90b2tlbiV9</params>
        </script>
    </authentication>
    <users>
        <user>46;true;QWRtaW5pc3RyYXRvcg==;4;VXNlcm5hbWU=:YWRtaW4=&amp;UGFzc3dvcmQ=:cGFzc3dvcmQ=</user>
    </users>
    <forceduser>46</forceduser>
    <session>
        <type>0</type>
    </session>
    <authorization>
        <type>0</type>
        <basic>
            <header/>
            <body/>
            <logic>AND</logic>
            <code>-1</code>
        </basic>
    </authorization>
</context> </configuration>

Would really appreciate some help on this ! I can't figure out what is wrong in what I did Thanks in advance, Thomas

thomas
  • 1
  • 1
  • What version of java are you using? – kingthorin May 24 '22 at 19:56
  • @kingthorin I'm using openjdk 11.0.15 2022-04-19 inside the zap docker (java --version command) – thomas May 27 '22 at 11:37
  • Your script is loading as a websocketpassive not an auth script for some reason. The question is also a bit confusing between authWS and authDVWA. zap@1a609067e22f:/zap$ zap-cli scripts load Name: authDvwa Script type: websocketpassive Engine: ECMAScript : Oracle Nashorn File path: /zap/authDvwa.js [INFO] Script "authWS" loaded – kingthorin May 27 '22 at 16:20
  • Hi, thanks for your reply, I will check the error on the script's name. Concerning the 'websocketpassive' if I remember well I had errors while using 'authentication'. I'll retry running a scan tomorrow and I'll keep you updated – thomas May 28 '22 at 20:23
  • Hi there, with the change: "Script type: authentication" and the associated script loaded (I corrected script name error @kingthorin you mentionned), I get an error 'Error enabling script: illegal_parameter' when I try to enable the script. It's not enabled since the last column from "zap-cli scripts list" indicates "N/A". So my script is loaded but not enabled. I can't figure out why 'authentication' is an illegal parameter (if I change Script type to websocketpassive, I can enable the script but we return to the original error...) – thomas Jun 02 '22 at 14:47

0 Answers0