Scan URl via API in daemon mode

[jengra]

I'd like to scan one Url via API
by example:

zap/JSON/ascan/action/scan/?url=google.de

then i have no results i have an exception like
"Beim Auswerten des JSON-Dokuments trat ein Fehler auf. Eventuell ist das Dokument nicht nach den Spezifikationen aufgebaut.
unexpected character at line 1 column 1
Parameter unvollständig (missing_parameter) : url"

what i'm doing wrong ?

[thc202]

ZAP expects the parameter url to have the scheme (but that's another issue unrelated to missing_parameter error).

What ZAP version are you using?
How are you calling the API? With a browser? An API client?
Would you mind checking ZAP's log file ("zap.log") to see if there's any error? [1]

[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig

[jengra]

I using version 2.4.1. i updatet from 2.4.0 last week,
I called the API with API Client

this is my logfile:
have you any idea whats wrong ?
2015-08-09 13:33:12,468 [ZAP-WS-Listener (remote) 'live.github.com:443 (#3)'] INFO TableWebSocket - insert message: #3.188
2015-08-09 13:33:12,474 [ZAP-WS-Listener (local) 'live.github.com:443 (#3)'] INFO TableWebSocket - insert message: #3.189
2015-08-09 13:33:12,475 [ZAP-WS-Listener (remote) 'live.github.com:443 (#4)'] INFO TableWebSocket - insert message: #4.190
2015-08-09 13:33:12,478 [ZAP-WS-Listener (remote) 'live.github.com:443 (#4)'] WARN WebSocketProxy - Invalid range
java.lang.IndexOutOfBoundsException: Invalid range
at javax.swing.DefaultRowSorter.rowsInserted(Unknown Source)
at org.jdesktop.swingx.sort.DefaultSortController.rowsInserted(DefaultSortController.java:404)
at javax.swing.JTable.notifySorter(Unknown Source)
at javax.swing.JTable.sortedTableChanged(Unknown Source)
at javax.swing.JTable.tableChanged(Unknown Source)
at org.jdesktop.swingx.JXTable.tableChanged(JXTable.java:1561)
at javax.swing.table.AbstractTableModel.fireTableChanged(Unknown Source)
at javax.swing.table.AbstractTableModel.fireTableRowsInserted(Unknown Source)
at org.zaproxy.zap.extension.websocket.ui.WebSocketMessagesViewModel.fireMessageArrived(WebSocketMessagesViewModel.java:378)
at org.zaproxy.zap.extension.websocket.ui.WebSocketPanel.onMessageFrame(WebSocketPanel.java:456)
at org.zaproxy.zap.extension.websocket.WebSocketProxy.notifyMessageObservers(WebSocketProxy.java:586)
at org.zaproxy.zap.extension.websocket.WebSocketProxy.processRead(WebSocketProxy.java:481)
at org.zaproxy.zap.extension.websocket.WebSocketListener.run(WebSocketListener.java:89)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2015-08-09 13:33:12,481 [ZAP-WS-Listener (local) 'live.github.com:443 (#4)'] INFO TableWebSocket - insert message: #4.191
2015-08-09 13:33:33,462 [ZAP-WS-Listener (remote) 'live.github.com:443 (#10)'] INFO TableWebSocket - insert message: #10.4
2015-08-09 13:33:33,468 [ZAP-WS-Listener (local) 'live.github.com:443 (#10)'] INFO TableWebSocket - insert message: #10.5
2015-08-09 13:33:33,599 [ZAP-ProxyThread-662] WARN API - handleApiRequest error: Interner Fehler (internal_error)
Interner Fehler (internal_error)
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(Unknown Source)
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(Unknown Source)
at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
at org.parosproxy.paros.model.SiteMap.getHostName(Unknown Source)
at org.parosproxy.paros.model.SiteMap.findNode(Unknown Source)
at org.zaproxy.zap.model.SessionStructure.find(Unknown Source)
... 6 more
2015-08-09 13:33:42,639 [ZAP-WS-Listener (remote) 'live.github.com:443 (#6)'] INFO TableWebSocket - insert message: #6.188
2015-08-09 13:33:42,645 [ZAP-WS-Listener (remote) 'live.github.com:443 (#9)'] INFO TableWebSocket - insert message: #9.166
2015-08-09 13:33:42,646 [ZAP-WS-Listener (local) 'live.github.com:443 (#6)'] INFO TableWebSocket - insert message: #6.189
2015-08-09 13:33:42,649 [ZAP-WS-Listener (local) 'live.github.com:443 (#6)'] WARN WebSocketProxy - Invalid range
java.lang.IndexOutOfBoundsException: Invalid range
at javax.swing.DefaultRowSorter.rowsInserted(Unknown Source)
at org.jdesktop.swingx.sort.DefaultSortController.rowsInserted(DefaultSortController.java:404)
at javax.swing.JTable.notifySorter(Unknown Source)
at javax.swing.JTable.sortedTableChanged(Unknown Source)
at javax.swing.JTable.tableChanged(Unknown Source)
at org.jdesktop.swingx.JXTable.tableChanged(JXTable.java:1561)
at javax.swing.table.AbstractTableModel.fireTableChanged(Unknown Source)
at javax.swing.table.AbstractTableModel.fireTableRowsInserted(Unknown Source)
at org.zaproxy.zap.extension.websocket.ui.WebSocketMessagesViewModel.fireMessageArrived(WebSocketMessagesViewModel.java:378)
at org.zaproxy.zap.extension.websocket.ui.WebSocketPanel.onMessageFrame(WebSocketPanel.java:456)
at org.zaproxy.zap.extension.websocket.WebSocketProxy.notifyMessageObservers(WebSocketProxy.java:586)
at org.zaproxy.zap.extension.websocket.WebSocketProxy.processRead(WebSocketProxy.java:481)
at org.zaproxy.zap.extension.websocket.WebSocketListener.run(WebSocketListener.java:89)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2015-08-09 13:33:42,649 [ZAP-WS-Listener (local) 'live.github.com:443 (#9)'] INFO TableWebSocket - insert message: #9.167

[thc202]

The internal_error is happening because the url to be scanned does have the scheme ("http://" or "https://").
Could you check if adding the scheme fixes the problem?

[thc202]

There's a missing "not" in previous answer:
... because the url to be scanned does not have the scheme...

[jengra]

allright
with google it will be work fine
i try this:
http://zap/JSON/ascan/action/scan/?url=http://www.google.de

but if i change the url to my url looks like:

http://zap/JSON/ascan/action/scan/?url=http://localhost/webaktesecurity/home
the same probleme

is their any problem with scanning localhost urls's first i try it locally

[thc202]

To which error are you referring with "same problem"?
No, the location of the target shouldn't matter.

Note that you need to access the target URL before starting the scan, also, if you just want to scan one URL you need to set the parameter recurse as false.

P.S. Deleted all the path traversal comments.

[jengra]

Hello again,

Thanks a lot for your help. I' dont know what's going wrong.

maybeI'll tell you my approach:

I wan't to integrate owasp in Teamcity build server.
I'd like to implement owasp through the api interface in a console application. this consol-application i will start in teamcity.
if the spider / scanner started i will set build-breakers, that our version don't deploy.

if i understand you right.
OWASP can only scan if i have it as proxy in firefox.
and if i click in my application owasp scan the website ?

At the end I would like to make an evaluation of the following XML, so as not to deploy the version on the server, if we have to many security bugs.

http://localhost:8080/OTHER/core/other/xmlreport/

what i have to do if i want to do it automaticlly ?
can you tell me ?
maybe i also think wrong ? i don't know.

regards

[Grunny]

You don't need to proxy through the Firefox, you just need to open the URL with ZAP as the proxy first to add it to the sites tree (i.e. make a request to it with localhost:8080 as the proxy). If you're using one of the API clients, this should happen with their relevant URL open method. For example, in Python you'd use the urlopen method before running the spider and/or active scan. See the ApiPython page for an example, or you can take a look at the CLI client I wrote for more examples if that's useful. You can also look at info on the Java API which links to examples, and there are more to be found in various places, or clients for many other languages.

[jengra]

ok I want to try to explain exactly what I'm doing

i found some skript
https://github.com/gmaran23/zaproxy/tree/master/dotnet/api/src/OWASPZAPDotNetAPI

I tried it

this steps are clear everythink works fine, i can start zap via UI or via Console App
ZAP.StartZapUI();
ZAP.StartZAPDaemon();
SimplePointAndClickScan.Go();
Tests;

but: this not
AuthenticatedScanWithFormsAuthentication.Go();
if i had the same parameters for targeturl and proxy i will get following error.

2015-08-13 10:40:06,894 [main ] INFO ZAP - OWASP ZAP 2.4.1 started.
2015-08-13 10:40:06,942 [main ] ERROR Model - Failed to delete file C:\Users\jennifer.simson\OWASP ZAP\session\untitled1.data
2015-08-13 10:40:06,942 [main ] ERROR Model - Failed to delete file C:\Users\jennifer.simson\OWASP ZAP\session\untitled1.lck
2015-08-13 10:40:06,943 [main ] ERROR Model - Failed to delete file C:\Users\jennifer.simson\OWASP ZAP\session\untitled1.log
2015-08-13 10:40:17,455 [main ] FATAL ZAP - invalid database address: jdbc:hsqldb:file:C:/Users/jennifer.simson/OWASP ZAP/session/untitled1
java.sql.SQLException: invalid database address: jdbc:hsqldb:file:C:/Users/jennifer.simson/OWASP ZAP/session/untitled1
at org.sqlite.JDBC.createConnection(JDBC.java:110)
at org.sqlite.JDBC.connect(JDBC.java:87)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabaseServer.start(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabaseServer.(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabase.open(Unknown Source)
at org.parosproxy.paros.model.Model.createAndOpenUntitledDb(Unknown Source)
at org.parosproxy.paros.model.Model.init(Unknown Source)
at org.zaproxy.zap.ZAP.run(Unknown Source)
at org.zaproxy.zap.ZAP.main(Unknown Source)

i have no idea whats going wrong

any help

the application crashes here
private static void LoadTargetUrlToSitesTree()
{
_api.AccessUrl(_target);
}

Der Remoteserver hat einen Fehler zurückgegeben: (500) Interner Serverfehler

if i start the _target in Browser i can see my side

Any IDEA's i only want that this example running and i can make my work. i don't know why i have this error.

[kingthorin]

2015-08-13 10:40:06,942 [main ] ERROR Model - Failed to delete file C:\Users\jennifer.simson\OWASP ZAP\session\untitled1.data
2015-08-13 10:40:06,942 [main ] ERROR Model - Failed to delete file C:\Users\jennifer.simson\OWASP ZAP\session\untitled1.lck
2015-08-13 10:40:06,943 [main ] ERROR Model - Failed to delete file C:\Users\jennifer.simson\OWASP ZAP\session\untitled1.log
2015-08-13 10:40:17,455 [main ] FATAL ZAP - invalid database address: jdbc:hsqldb:file:C:/Users/jennifer.simson/OWASP ZAP/session/untitled1
java.sql.SQLException: invalid database address: jdbc:hsqldb:file:C:/Users/jennifer.simson/OWASP ZAP/session/untitled1

Does C:/Users/jennifer.simson/OWASP ZAP/ exist and can you write to it?
Had you tried to start ZAP multiple times? (Either GUI or via this script?)

[jengra]

ok thanks a lot it's working
i had no write authorization in that folder i change it and it works thank you !!!!!

[jengra]

Hey
can I ask you more things for programming with OWASP ? or it is not allowed ?
I think I understand some things wrong.
is it correct that the console program I only get a root url give or do I have to ensure that first all urls gone through .
an example:
http://domain.de/home/index root-Directory
our application has many subfolders
example:
http://domain.de/e.10444444/dashboard/index sub-Directories
http://domain.de/e.10444444/settings/index
http://domain.de/e.10444444/settings/anithinelse
and a lot of more.
if i do it the same in OWASP UI then a add my Proxy in Firefox, then i start our application and check each Link
after that i add in ZAP the context and user and i start my scan or the spider.
i have to do the same in console app.
the problem with "internel server error 500" has not done
but i think i don't need this methode i'm not sure.
Let me tell you what I intend:
I add a console applicateion in Buildserver,
this console app start zap and make the tests.
if we have enough errors we want stop the deployment of live-system.
you ask me if i tried to start ZAP multiple times?
I think no. becaus i open zap deamon and at the end i shutdonw zap.
is that possible can you give me leads?
Thank
you
many greetings

[jengra]

Can you reopen my Issue or if i create a new issue

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.