mozilla :: #websectools

20 Mar 2017
07:39psiinonmorning
10:48rain0rhi there
10:50rain0rWhen I'm doing a Spider/Active Scan in Zaproxy itself (with gui) it takes much much longer and has plenty of more warnings than when I'm doing the same thing with the Java Api (and this code: https://github.com/zaproxy/zap-api-java/blob/develop/subprojects/zap-clientapi/src/examples/java/org/zaproxy/clientapi/examples/SimpleExample.java) - what could be the problem here?
10:50rain0rSame policy, same Zaproxy instance
10:51psiinonok, break it down - run the spider with the gui, see how many urls if finds
10:51psiinonthen run the spider via the api with the same gui - how many urls does that find?
10:52rain0rhow do I print out the urls from the spider in the api?
10:52psiinonthen do the same with the active scanner, but monitor the scan progress
10:52psiinonlook at them in the ui - it will update that :)
10:52rain0rhehe you're right
10:52psiinon:)
10:53psiinonwe try to make sure commands invoked from the api are reflected in the ui - makes debugging much easier :)
11:04rain0rAh... the active scan is not doing any requests at all
11:04psiinonthat might make a difference then :)
11:24thc202rain0r, what's the cause?
12:03rain0rthc202, well, I don't know. Trying to figure it out
12:05thc202ok, are you scanning a context? in the log, how many URLs/nodes does it say that will be scanned?
12:11psiinonjotes: ping
12:12jotesHey wassup?
12:14psiinonso I suck at python :(
12:15psiinonany idea what I've done wrong here? https://github.com/zaproxy/zap-api-python/pull/11
12:29jotes Give me a moment I'm on the meeting
12:29psiinonsure, np :)
12:32rain0rthc202, INFO HostProcess - Scanning 32 node(s)
12:33rain0rIn the spider tab it says "found 56 URI", in the active scan tab it says "running scans: 0, num requests: 0"
12:35rain0rlog: https://paste.hihn.org/8dR0/raw
12:38thc202hm, what does it show in the Scan Progress dialogue? (number of requests and skipped state)
12:44rain0rThere is just one Plugin listed
12:46rain0rallthough I started zap with -addoninstallall
12:47psiinonrain0r: you might need to sleep until they are all installed?
12:57jotespsiinon: I'll send you a patch later to fix those tests.
12:57psiinonthanks!
13:17rain0rpsiinon, it's rather that they are only loaded after a restart of zap
13:18psiinonoh :/ thats not right
13:21thc202rain0r, is that with upstream?
13:21rain0ryes, upstream
13:23thc202could you share the zap.logs (when running with UI and without)? (interested in the initialisation, when the add-ons are installed)
13:24rain0rno scan, just initialization: https://paste.hihn.org/taim/raw - is that ok?
13:34thc202yeah, the add-ons are being initialised
13:35thc202I notice that there are two ZAP instances being run? ("GuiBootstrap - OWASP ZAP Dev Build started ..." is being logged twice)
13:52rain0rHm there should be only one instance
13:53rain0rhow can I print out all the installedAddons with: apiResponse = getClientApi().callApi("autoupdate", "view", "installedAddons", null);?
13:53rain0rapiResponse only has getName() and getClass()
13:56thc202you need to cast the apiResponse to ApiResponseList then iterate its entries (which are ApiResponseSet)
13:59thc202but using apiResponse.toString(0) should be enough if you just want to print that
13:59thc202that -> the contents of the response
14:04rain0rI tried to cast it but eclipse won't let me do that, I will try your proposal
14:05rain0rworks, thanks
14:09rain0rI don't get it ... I have lots of addons installed but the active scan is somehow not working ...
14:09rain0rhttps://paste.hihn.org/2nrO/raw
14:11thc202hm, what do you get with http://zap/JSON/ascan/view/scanners/?scanPolicyName=Default+Policy (assuming you are using the Default Policy)
14:34rain0rhttps://paste.hihn.org/hs4K/raw
14:40thc202thanks, the scanners are there then
14:41thc202what do you get with ascan/view/messagesIds ? is it empty?
14:41rain0rno, there are plenty of lines
14:42thc202ah, it's sending requests then, and alertsIds?
14:46rain0rnot really ... no requests
14:47rain0rold school screenshot: https://up.hihn.org/media/images/2017-03-20_15_45_00-Untitled_Session_-_20170320-154312_-_OWASP_ZAP_Dev_Build.png
14:47rain0r0 requests everywhere
14:51thc202that's odd, if there are requests in messagesIds it should also show in the UI :/
14:55thc202how about ascan/view/scanProgress that should be the same as the one shown in the UI
14:58rain0rIt says: {"scanProgress":["http://localhost:33006",{"HostProcess":[{"Plugin":["Script Active Scan Rules","50000","release","Complete","0","0"]}]}]}
15:00rain0rAh, one second
15:00rain0rI didn't had any addons installed
15:00rain0rnow with all addons installed:
15:01rain0rhttps://paste.hihn.org/Lnjo/raw
15:08thc202yeah, that matches the UI, no requests
15:09thc202the problem is most likely in the input vectors enabled/disabled
15:10rain0rwhat does that mean? I got something disabled?
15:10thc202if ZAP is not able to extract any IV from the request being scanned it will not send any request
15:11thc202take a look at Options > Active Scan Input Vectors, which ones are enabled?
15:12rain0rURL Query String, POST Data, MultiPart, XML, JSON, Woogle Web Toolkit, OData, Direct Web Remoting
15:13thc202no idea then, would have to debug HostProcess and a scanner :/
15:15rain0rMy plan is to create a regression test for zap. cloning either upstream or a tag/release, running a pre-defined policy on a reference website and checking the alerts. I thought that wouldn't be so difficult ;-)
15:18thc202it shouldn't :(
15:19thc202do you get the same results with 2.5.0?
15:21rain0rTrying it now
15:21thc202thank you
15:23rain0rYep, zero requests
15:25thc202ok, which parameters are you passing to the ascan API method?
15:28rain0rapi.ascan.scan(TARGET, "True", "True", "Default Policy", null, null);
15:32thc202hm, might be because of inscopeonly being true, are the messages in scope?
15:33thc202(and the scanner should take that into account when calculating the number of nodes that will be scanned...)
15:52rain0rI'm trying it
16:57psiinonjotes: any suggestion for how to make a url request in python where you can set headers and ignore cert errors?
21 Mar 2017
No messages
   
Last message: 188 days and 21 hours ago