在 python 代码中为应用程序自动执行 owasp zap 时出错
Getting error in python code for automate owsap zap for the application
我正在尝试根据以下文章自动执行 owasp zap 以扫描项目以识别安全漏洞:
https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html
我在下面的代码行中遇到错误:-
zap.spider.scan(target)
脚本来源:-
https://github.com/zaproxy/zaproxy/wiki/ApiPython
我正在使用的代码:-
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
# Here the target is defined and an instance of ZAP is created.
target = 'http://google.com/'
zap = ZAPv2()
# Use the line below if ZAP is not listening on 8090.
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'})
# ZAP starts accessing the target.
print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)
# The spider starts crawling the website for URLs
print 'Spidering target %s' % target
zap.spider.scan(target)
# Progress of spider
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
print 'Spider progress %: ' + zap.spider.status
time.sleep(400)
print 'Spider completed'
# Give the passive scanner a chance to finish
time.sleep(5)
# The active scanning starts
print 'Scanning target %s' % target
zap.ascan.scan(target)
while (int(zap.ascan.status) < 100):
print 'Scan progress %: ' + zap.ascan.status
time.sleep(600)
print 'Scan completed'
# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint(zap.core.alerts())
我得到的错误:-
root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing
target http://google.com/ Spidering target http://google.com/
Traceback (most recent call last): File "website-scan.py", line 21,
in
zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan
return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File
"build/bdist.linux-x86_64/egg/zapv2/init.py", line 158, in
_request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json
return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/init.py", line 516,
in loads
return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in
decode
obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in
raw_decode
return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1
(char 0)
如果我遗漏了什么请告诉我
http://google.com/ will redirect to something like https://google.com/ 所以你需要改用它。
顺便说一句,你真的有权限攻击google.com吗?
您使用的是哪个版本的 ZAP,如何启动它?
从 ZAP 2.6.0 开始,默认情况下您需要使用 API 密钥并且只能从本地主机连接。您链接到的页面上的脚本已更新为使用 API 键 (https://github.com/zaproxy/zaproxy/wiki/ApiPython)
如果您不想使用 API 密钥,或者需要从远程计算机连接,请参阅此常见问题解答:https://github.com/zaproxy/zaproxy/wiki/FAQapikey
我正在尝试根据以下文章自动执行 owasp zap 以扫描项目以识别安全漏洞:
https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html
我在下面的代码行中遇到错误:-
zap.spider.scan(target)
脚本来源:-
https://github.com/zaproxy/zaproxy/wiki/ApiPython
我正在使用的代码:-
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
# Here the target is defined and an instance of ZAP is created.
target = 'http://google.com/'
zap = ZAPv2()
# Use the line below if ZAP is not listening on 8090.
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'})
# ZAP starts accessing the target.
print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)
# The spider starts crawling the website for URLs
print 'Spidering target %s' % target
zap.spider.scan(target)
# Progress of spider
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
print 'Spider progress %: ' + zap.spider.status
time.sleep(400)
print 'Spider completed'
# Give the passive scanner a chance to finish
time.sleep(5)
# The active scanning starts
print 'Scanning target %s' % target
zap.ascan.scan(target)
while (int(zap.ascan.status) < 100):
print 'Scan progress %: ' + zap.ascan.status
time.sleep(600)
print 'Scan completed'
# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint(zap.core.alerts())
我得到的错误:-
root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing target http://google.com/ Spidering target http://google.com/ Traceback (most recent call last): File "website-scan.py", line 21, in zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File "build/bdist.linux-x86_64/egg/zapv2/init.py", line 158, in _request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/init.py", line 516, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in decode obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
如果我遗漏了什么请告诉我
http://google.com/ will redirect to something like https://google.com/ 所以你需要改用它。
顺便说一句,你真的有权限攻击google.com吗?
您使用的是哪个版本的 ZAP,如何启动它?
从 ZAP 2.6.0 开始,默认情况下您需要使用 API 密钥并且只能从本地主机连接。您链接到的页面上的脚本已更新为使用 API 键 (https://github.com/zaproxy/zaproxy/wiki/ApiPython)
如果您不想使用 API 密钥,或者需要从远程计算机连接,请参阅此常见问题解答:https://github.com/zaproxy/zaproxy/wiki/FAQapikey