Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZAP-Advanced: Error messages when using custom auth/session scripts (but they still work) #1187

Closed
malexmave opened this issue May 23, 2022 · 1 comment
Closed

ZAP-Advanced: Error messages when using custom auth/session scripts (but they still work) #1187

malexmave opened this issue May 23, 2022 · 1 comment
Labels
bug Bugs scanner Implement or update a security scanner

Comments

@malexmave
Copy link
Member

🐞 Bug report

When using ZAP-Advanced with a custom session and/or auth script, the process throws errors:

Logs from zap-advanced-scan container in pod:

2022-05-23 12:16 ZapClient    INFO    : Loading new Script 'OIDCWithTokenExchange.js' at '/home/zap/.ZAP_D/scripts/scripts/authentication/OIDCWithTokenExchange.js' with type: 'authentication' and engine 'Oracle Nashorn'
2022-05-23 12:16 ZapClient    INFO    : Activating Script 'OIDCWithTokenExchange.js' with 'enabled: true'
2022-05-23 12:16 ZapClient    WARNING : Failed to call ZAP Method ['script.enable'], result is: 'illegal_parameter'
2022-05-23 12:16 ZapConfigureContext INFO    : Existing Users will be removed before adding new ones.
2022-05-23 12:16 ZapConfigureContext INFO    : Configuring the ZAP session management (type=scriptBasedSessionManagement)
2022-05-23 12:16 ZapClient    INFO    : Loading new Script 'bap-session-management.js' at '/home/zap/.ZAP_D/scripts/scripts/session/bap-session-management.js' with type: 'session' and engine 'Oracle Nashorn'
2022-05-23 12:16 ZapClient    INFO    : Activating Script 'bap-session-management.js' with 'enabled: true'
2022-05-23 12:16 ZapClient    WARNING : Failed to call ZAP Method ['script.enable'], result is: 'illegal_parameter'

Log from zap-sidecar:

32911 [ZAP-ProxyThread-23] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/script/action/remove/] from [0:0:0:0:0:0:0:1]:
org.zaproxy.zap.extension.api.ApiException: does_not_exist
	at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:367) ~[zap-2.11.1.jar:2.11.1]
	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
	at java.lang.Thread.run(Thread.java:829) [?:?]
32965 [ZAP-ProxyThread-25] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/script/action/enable/] from [0:0:0:0:0:0:0:1]:
org.zaproxy.zap.extension.api.ApiException: illegal_parameter
	at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:291) ~[zap-2.11.1.jar:2.11.1]
	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
	at java.lang.Thread.run(Thread.java:829) [?:?]
32979 [ZAP-ProxyThread-26] INFO  org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded script for API:OIDCWithTokenExchange.js
34057 [ZAP-ProxyThread-35] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/script/action/remove/] from [0:0:0:0:0:0:0:1]:
org.zaproxy.zap.extension.api.ApiException: does_not_exist
	at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:367) ~[zap-2.11.1.jar:2.11.1]
	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
	at java.lang.Thread.run(Thread.java:829) [?:?]
34089 [ZAP-ProxyThread-37] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/script/action/enable/] from [0:0:0:0:0:0:0:1]:
org.zaproxy.zap.extension.api.ApiException: illegal_parameter
	at org.zaproxy.zap.extension.script.ScriptAPI.handleApiAction(ScriptAPI.java:291) ~[zap-2.11.1.jar:2.11.1]
	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
	at java.lang.Thread.run(Thread.java:829) [?:?]
34111 [ZAP-ProxyThread-38] INFO  org.zaproxy.zap.session.ScriptBasedSessionManagementMethodType - Loaded script for API:bap-session-management.js

The scripts are used regardless of the errors, they appear to be cosmetic.
@malexmave malexmave added bug Bugs scanner Implement or update a security scanner labels May 23, 2022
@Weltraumschaf
Copy link
Member

Won't do: #1851

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Bugs scanner Implement or update a security scanner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Weltraumschaf @malexmave