使用OWASP Zap Api进行扫描

时间:2020-04-01 06:58:02

标签: java owasp zap

我正在尝试使用脚本扫描目标并执行主动扫描,以此作为概念证明。我已经在下面实现了该实现,但是我无法使其正常工作,我不确定为什么它不起作用?我正在运行Zap2Docker,并且可以通过api访问它,我也可以通过gui访问,从gui扫描目标可以正常工作,但是我的脚本无法在api上运行,请在下面查看:

import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ApiResponseList;
import org.zaproxy.clientapi.core.ClientApi;

import java.util.List;

public class Spider {

    private static String ZAP_ADDRESS;// = "ZAPContainerIp";
    private static int ZAP_PORT;// = 8090;
    // Change to match the API key set in ZAP, or use NULL if the API key is disabled
    private static String ZAP_API_KEY;// = "change me";
    // The URL of the application to be tested
    private static String TARGET;// = "https://targetip.com";
    private static boolean scanComplete;

    public static void main(String[] args) {
        ZAP_ADDRESS = args[0];
        ZAP_PORT = Integer.parseInt(args[1]);
        ZAP_API_KEY = args[2];
        TARGET = args[3];
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // Start spidering
            System.out.println("Spidering target : " + TARGET);
            ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
            String scanID;
            int progress;

            // The scan returns a scan id to support concurrent scanning
            scanID = ((ApiResponseElement) resp).getValue();
            // Poll the status until it completes
            while (true) {
                Thread.sleep(1000);
                progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
                System.out.println("Spider progress : " + progress + "%");
                if (progress >= 100) {
                    scanComplete = true;
                    break;
                }
            }
            System.out.println("Spider completed");
            // If required post process the spider results
            List<ApiResponse> spiderResults = ((ApiResponseList) api.spider.results(scanID)).getItems();
            if (scanComplete) {
                ActiveScan activeScan = new ActiveScan();
                activeScan.attack(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY, TARGET);
            }


        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}

扫描:

import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ClientApi;

import java.lang.annotation.Target;
import java.nio.charset.StandardCharsets;

public class ActiveScan {

    private int zapPort;// = 8090;
    private String zapApiKey;// = null;
    private String zapAddress;// = "localhost";
    private String target;// = "https://targetip.com";

    public ActiveScan(int zapPort, String zapApiKey, String zapAddress, String target) {
        this.zapPort = zapPort;
        this.zapApiKey = zapApiKey;
        this.zapAddress = zapAddress;
        this.target = target;
    }

    public ActiveScan() {
    }

    public void attack(String zapAddress, int zapPort, String zapApiKey, String target){


        ClientApi api = new ClientApi(zapAddress, zapPort, zapApiKey);

        try {
            System.out.println("Active Scanning target : " + target);
            ApiResponse resp = api.ascan.scan(target, "True", "False", null, null, null);
            String scanid;
            int progress;

            // Scan returns a scan id to support concurrent scanning
            scanid = ((ApiResponseElement) resp).getValue();
            // Poll status until it completes
            while (true) {
                Thread.sleep(5000);
                progress =
                        Integer.parseInt(
                                ((ApiResponseElement) api.ascan.status(scanid)).getValue());
                System.out.println("Active Scan progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }

            System.out.println("Active Scan complete");
            // Print vulnerabilities found by the scanning
            System.out.println("Alerts:");
            System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }

}

运行时出现错误:

java -jar WafTestSuite.jar "zapurl" "8090" "change-me-9203935709" "10.10.10.254:3000"; Spidering target : 10.10.8.254:3000
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:366)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.http://java:350)
at org.zaproxy.clientapi.gen.Spider.scan(Spider.http://java:242)
at Spider.main(Spider.java:28)
Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.http://www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.http://java:399)
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:364)

感谢您的帮助。

2 个答案:

答案 0 :(得分:1)

默认情况下,ZAP不接受与API的远程连接。您需要启用它们并设置合适的API密钥(或禁用它)。此常见问题解答中的更多详细信息:https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/

答案 1 :(得分:0)

此错误消息... 

java -jar WafTestSuite.jar "zapurl" "8090" "change-me-9203935709" "10.10.10.254:3000"; Spidering target : 10.10.8.254:3000
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:366)

...表示远程服务器接受并关闭了连接而没有发送响应。

此错误的背后可能有很多原因,其中一些原因如下:

  • 可能是远程系统太忙而无法处理请求,因此断开了连接。
  • 请求中可能缺少标头值/标头值无效,这会导致内部错误,并且服务器会关闭连接,而不是正常发送HTTP错误响应。
  • 由于应用程序随机断开连接,可能会导致网络延迟。

但是,根据代码块中 proxy 的配置,很明显,尽管您将ZAP_API_KEY初始化为 String 您尚未分配任何值。因此是错误。

因此,基本上,您配置ZAP的代码块将是:

private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8080;
// Change to match the API key set in ZAP, or use NULL if the API key is disabled
private static final String ZAP_API_KEY = "abcdefghijklmnop123456789";
// The URL of the application to be tested
private static final String TARGET = "http://localhost:3000";

为什么默认情况下需要API密钥?

根据documentation,因为ZAP版本2.4.1可用,因此默认情况下需要配置 API密钥,以便调用对ZAP进行更改的API操作。此外,随着ZAP版本2.6.0的可用性,默认情况下需要 API密钥才能调用任何API操作。实施此安全功能是为了防止恶意站点调用ZAP API。可以在“ API选项”屏幕(ZAP代理界面->工具->选项-> API)中找到API安全选项,包括API密钥:

ZAP_API_key

更改API密钥

您可以通过以下不同方式更改API密钥:

  • 通过点击生成随机密钥按钮来生成新的API密钥。

  • 通过使用以下命令从命令行设置API密钥:

    -config api.key=change-me-9203935709

  • 使用以下命令从命令行禁用API密钥:

    -config api.disablekey=true
相关问题
最新问题