启动时,ZAP工具卡在中间

时间:2017-12-20 09:52:27

标签: security selenium-webdriver penetration-testing zap zapproxy

我正在尝试将selenium与ZAP集成。

为实现这一目标,我使用以下代码在使用selenium启动浏览器之前自动打开ZAP工具。

我面临的问题是ZAP工具没有正确打开,它卡在中间。

以下代码我用来打开ZAP工具。

代码:

org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:311)
at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:220)
at com.exterro.fusion.selenium.controls.ZAPConfigurations.triggerZAP(ZAPConfigurations.java:61)
at com.exterro.fusion.selenium.core.FusionSignin.config(FusionSignin.java:54)
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient$1.run(Unknown Source)
at sun.net.www.http.HttpClient$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.http.HttpClient.privilegedOpenServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:338)
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:327)
... 31 more
... Removed 27 stack frames

错误:

ImageOverlay

2 个答案:

答案 0 :(得分:1)

在启动ZAP时,您似乎没有指定API密钥。如果是这样,那么ZAP将为您创建一个,但您不会知道它是什么,因此无法使用它,ZAP将忽略您的API调用。

要通过命令行设置API密钥,请使用以下选项:-config api.key=change-me-9203935709

您还可以在安全的环境中停用API密钥 - 详情请参阅:https://github.com/zaproxy/zaproxy/wiki/FAQapikey

答案 1 :(得分:0)

此错误消息...

org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)

...表示 Java客户端无法与 Proxy 发起新连接。


由于多种原因,此错误可能浮出水面。解决此错误的几个检查点如下:

  • Java客户端尝试与代理通信之前,确保 ZAP代理已启动并正在运行。您可以在How to start using the Java based ZAP APIs
  • 中找到相关的讨论
  • 确保已启用代理服务器端的 API设置

ZAP_API_enable

您可以在Unable to perform zap spider scan using zap-java-api

中找到相关的讨论
  • 在启动 Java客户端连接时,您必须强制提及API keys,因为默认情况下ZAP需要API密钥才能调用对ZAP进行更改的API操作。因此,默认情况下需要API密钥才能调用任何API操作。这是一项安全功能,可防止恶意站点调用ZAP API。可以在API Options screen中找到API安全选项(包括API密钥)。

    • 代码块:

      private static final int ZAP_PORT = 8080;
      private static final String ZAP_API_KEY = "abcdefghijklmnop123456789";
      private static final String ZAP_ADDRESS = "localhost";
      private static final String TARGET = "https://public-firing-range.appspot.com";
      

您可以在Scanning using OWASP Zap Api

中找到相关的讨论