ZAP 主动扫描在桌面上有效,但在 docker 图像中失败并出现 url_not_in_context 错误
ZAP active scan works in desktop but fails in docker image with url_not_in_context error
我能够使用 ZAP 桌面扫描我的 API,但在从 zap docker 图像进行主动扫描时失败并出现 'url_not_in_context' 错误。上下文定义从桌面导出并指定为 zap-api-scan.py.
的参数
我正在使用 zap2docker-stable 图像扫描 APIs。加载自定义脚本以进行身份验证 httpsender。
错误:
51660 [ZAP-ProxyThread-15] 警告 org.zaproxy.zap.extension.api.API - 来自 [127.0.0.1] 的 API 端点 [/JSON/ascan/action/scanAsUser/] 的错误请求:
org.zaproxy.zap.extension.api.ApiException: url_not_in_context
在 org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:879) ~[zap-2.10.0.jar:2.10.0]
在 org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:370) ~[zap-2.10.0.jar:2.10.0]
在 org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-2.10.0.jar:2.10.0]
我已经实施了 ZAP SCAN: Jenkins Job failed (url_not_in_context)
中提到的建议
Docker 命令:
docker 运行 -v D:/dev/cloud/zap/scripts:/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -d -t 客户-api-docs.json -f 打开api -r /zap/wrk/testreport.html -n 客户-service.context.xml -U bob@xyz.com --hook=load-script.py -z "-addoninstall jython"
在上下文文件中增加正则表达式配置:
<incregexes>http://dev.xyz.com/customer.*</incregexes>
<excregexes>http://dev.xyz.com/customer/v3*</excregexes>
相同的配置在 ZAP 桌面中工作。
以下日志在执行开始时打印,但随后继续启动 zap、加载插件并最终失败。它是预期的还是指向某个问题?
Jun 11, 2021 6:58:40 AM java.util.prefs.FileSystemPreferences run
INFO: Created user preferences directory.
zap_started(<zapv2.ZAPv2 object at 0x7f3750bf13d0>, customer-api-docs.json)
load authentication script
load http sender script
2021-06-11 06:59:20,857 Number of Imported URLs: 9
Traceback (most recent call last):
File "/zap/zap-api-scan.py", line 484, in main
zap_active_scan(zap, target, scan_policy)
File "/zap/zap_common.py", line 104, in _wrap
return_data = func(*args_list, **kwargs)
File "/zap/zap_common.py", line 450, in zap_active_scan
raise_scan_not_started()
File "/zap/zap_common.py", line 399, in raise_scan_not_started
raise ScanNotStartedException('Failed to start the scan, check the log/output for more details.')
zap_common.ScanNotStartedException: Failed to start the scan, check the log/output for more details.
Found Java version 11.0.9.1
Available memory: 3917 MB
Using JVM args: -Xmx979m
2381 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /home/zap/.ZAP/config.xml
我必须在扫描期间设置 api密钥吗?如何确定 api 实例的 docker 键?
2021-06-11 10:33:20,894 http://localhost:46219 "GET http://zap/JSON/ascan/action/scanAsUser/?apikey=&url=http%3A%2F%2Fdev.xyz.com&contextId=1&userId=10&recurse=True&scanPolicyName=API-最小 HTTP/1.1" 400 89
上下文文件:
<configuration>
<context>
<name>customer-service</name>
<desc/>
<inscope>true</inscope>
<incregexes>http://dev.xyz.com/customer.*</incregexes>
<excregexes>http://dev.xyz.com/customer/v3*</excregexes>
<tech>
<include>Db.IBM DB2</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.JavaScript</include>
<include>OS.Linux</include>
<include>WS.Tomcat</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.HypersonicSQL</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft SQL Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.MySQL</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.PostgreSQL</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.SQLite</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.ASP</exclude>
<exclude>Language.C</exclude>
<exclude>Language.PHP</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>Language.XML</exclude>
<exclude>OS</exclude>
<exclude>OS.MacOS</exclude>
<exclude>OS.Windows</exclude>
<exclude>SCM</exclude>
<exclude>SCM.Git</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.Apache</exclude>
<exclude>WS.IIS</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>4</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>HTTP\/1.1\s(200|404|400|500|403)</loggedin>
<loggedout>HTTP\/1.1\s401</loggedout>
<script>
<name>oidc_ropc_script</name>
<params>Y2xpZW50SWQ=:cnhub3Zh</params>
</script>
</authentication>
<users>
<user>10;true;Ym9iQHNzYy5jb20=;4;cGFzc3dvcmQ=:d2VsY29tZTE=&dXNlcm5hbWU=:Ym9iQHNzYy5jb20=</user>
</users>
<forceduser>10</forceduser>
<session>
<type>1</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
我错过了什么?
终于找到问题了!!
zap-api-scan 规范化目标 URL 以删除上下文。所以 http://dev.xyz.com/customer was changed to http://dev.xyz.com.
因为这不是允许的 URLs 的一部分,所以它总是失败。更改 incregex 以删除上下文路径 /customer 解决了问题。
这是不同于桌面模式的行为。可能是一个错误。
我能够使用 ZAP 桌面扫描我的 API,但在从 zap docker 图像进行主动扫描时失败并出现 'url_not_in_context' 错误。上下文定义从桌面导出并指定为 zap-api-scan.py.
的参数我正在使用 zap2docker-stable 图像扫描 APIs。加载自定义脚本以进行身份验证 httpsender。
错误: 51660 [ZAP-ProxyThread-15] 警告 org.zaproxy.zap.extension.api.API - 来自 [127.0.0.1] 的 API 端点 [/JSON/ascan/action/scanAsUser/] 的错误请求: org.zaproxy.zap.extension.api.ApiException: url_not_in_context 在 org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:879) ~[zap-2.10.0.jar:2.10.0] 在 org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:370) ~[zap-2.10.0.jar:2.10.0] 在 org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-2.10.0.jar:2.10.0]
我已经实施了 ZAP SCAN: Jenkins Job failed (url_not_in_context)
中提到的建议Docker 命令:
docker 运行 -v D:/dev/cloud/zap/scripts:/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -d -t 客户-api-docs.json -f 打开api -r /zap/wrk/testreport.html -n 客户-service.context.xml -U bob@xyz.com --hook=load-script.py -z "-addoninstall jython"
在上下文文件中增加正则表达式配置:
<incregexes>http://dev.xyz.com/customer.*</incregexes>
<excregexes>http://dev.xyz.com/customer/v3*</excregexes>
相同的配置在 ZAP 桌面中工作。
以下日志在执行开始时打印,但随后继续启动 zap、加载插件并最终失败。它是预期的还是指向某个问题?
Jun 11, 2021 6:58:40 AM java.util.prefs.FileSystemPreferences run
INFO: Created user preferences directory.
zap_started(<zapv2.ZAPv2 object at 0x7f3750bf13d0>, customer-api-docs.json)
load authentication script
load http sender script
2021-06-11 06:59:20,857 Number of Imported URLs: 9
Traceback (most recent call last):
File "/zap/zap-api-scan.py", line 484, in main
zap_active_scan(zap, target, scan_policy)
File "/zap/zap_common.py", line 104, in _wrap
return_data = func(*args_list, **kwargs)
File "/zap/zap_common.py", line 450, in zap_active_scan
raise_scan_not_started()
File "/zap/zap_common.py", line 399, in raise_scan_not_started
raise ScanNotStartedException('Failed to start the scan, check the log/output for more details.')
zap_common.ScanNotStartedException: Failed to start the scan, check the log/output for more details.
Found Java version 11.0.9.1
Available memory: 3917 MB
Using JVM args: -Xmx979m
2381 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /home/zap/.ZAP/config.xml
我必须在扫描期间设置 api密钥吗?如何确定 api 实例的 docker 键?
2021-06-11 10:33:20,894 http://localhost:46219 "GET http://zap/JSON/ascan/action/scanAsUser/?apikey=&url=http%3A%2F%2Fdev.xyz.com&contextId=1&userId=10&recurse=True&scanPolicyName=API-最小 HTTP/1.1" 400 89
上下文文件:
<configuration>
<context>
<name>customer-service</name>
<desc/>
<inscope>true</inscope>
<incregexes>http://dev.xyz.com/customer.*</incregexes>
<excregexes>http://dev.xyz.com/customer/v3*</excregexes>
<tech>
<include>Db.IBM DB2</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.JavaScript</include>
<include>OS.Linux</include>
<include>WS.Tomcat</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.HypersonicSQL</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft SQL Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.MySQL</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.PostgreSQL</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.SQLite</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.ASP</exclude>
<exclude>Language.C</exclude>
<exclude>Language.PHP</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>Language.XML</exclude>
<exclude>OS</exclude>
<exclude>OS.MacOS</exclude>
<exclude>OS.Windows</exclude>
<exclude>SCM</exclude>
<exclude>SCM.Git</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.Apache</exclude>
<exclude>WS.IIS</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>4</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>HTTP\/1.1\s(200|404|400|500|403)</loggedin>
<loggedout>HTTP\/1.1\s401</loggedout>
<script>
<name>oidc_ropc_script</name>
<params>Y2xpZW50SWQ=:cnhub3Zh</params>
</script>
</authentication>
<users>
<user>10;true;Ym9iQHNzYy5jb20=;4;cGFzc3dvcmQ=:d2VsY29tZTE=&dXNlcm5hbWU=:Ym9iQHNzYy5jb20=</user>
</users>
<forceduser>10</forceduser>
<session>
<type>1</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
我错过了什么?
终于找到问题了!!
zap-api-scan 规范化目标 URL 以删除上下文。所以 http://dev.xyz.com/customer was changed to http://dev.xyz.com.
因为这不是允许的 URLs 的一部分,所以它总是失败。更改 incregex 以删除上下文路径 /customer 解决了问题。
这是不同于桌面模式的行为。可能是一个错误。