无法使用zap-java-api

时间:2018-05-15 12:04:36

标签: java-api zap

我正在尝试使用zap-java-api为目​​标网址运行蜘蛛扫描。请找到我上网的以下代码。

import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ClientApi;

public class SimpleExample {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8500;
    private static final String ZAP_API_KEY =
            "q0tgadu0fperhi21q0870gc37"; // Change this if you have set the apikey in ZAP via Options / API

    private static final String TARGET = "https://demo.testfire.net/";

    public static void main(String[] args) {
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // Start spidering the target
            System.out.println("Spider : " + TARGET);
            // It's not necessary to pass the ZAP API key again, already set when creating the
            // ClientApi.
            ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
            String scanid;
            int progress;

            // The scan now returns a scan id to support concurrent scanning
            scanid = ((ApiResponseElement) resp).getValue();

            // Poll the status until it completes
            while (true) {
                Thread.sleep(1000);
                progress =
                        Integer.parseInt(
                                ((ApiResponseElement) api.spider.status(scanid)).getValue());
                System.out.println("Spider progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }
            System.out.println("Spider complete");

            // Give the passive scanner a chance to complete
            Thread.sleep(2000);

            System.out.println("Active scan : " + TARGET);
            resp = api.ascan.scan(TARGET, "True", "False", null, null, null);

            // The scan now returns a scan id to support concurrent scanning
            scanid = ((ApiResponseElement) resp).getValue();

            // Poll the status until it completes
            while (true) {
                Thread.sleep(5000);
                progress =
                        Integer.parseInt(
                                ((ApiResponseElement) api.ascan.status(scanid)).getValue());
                System.out.println("Active Scan progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }
            System.out.println("Active Scan complete");

            System.out.println("Alerts:");
            System.out.println(new String(api.core.xmlreport()));

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}

我一直在以下例外:

Spider : https://demo.testfire.net/
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
    at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:350)
    at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:331)
    at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:239)
    at com_test.SimpleExample.main(SimpleExample.java:24)
Caused by: java.net.SocketException: Unexpected end of file from server
    at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
    at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
    at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
    at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at java.net.HttpURLConnection.getResponseCode(Unknown Source)
    at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:361)
    at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:348)
    ... 3 more

除了目标网址之外,我不确定蜘蛛扫描内还能传递什么。因此将其传递为null。

ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);

我要做的就是为目标网址运行蜘蛛扫描并生成html& xml报告通过zap-java-api。任何有关这方面的工作示例都会非常有用。提前谢谢。

2 个答案:

答案 0 :(得分:0)

表明ZAP阻止了您的API调用。 是否在ZAP中启用了API? 您使用的是正确的API密钥吗?

您可以查看zap.log文件,该文件可能包含更多信息:https://github.com/zaproxy/zaproxy/wiki/FAQlogging

答案 1 :(得分:0)

此错误消息...

// Function Declarations
int isalpha(int c);

int main(void) {
    char letter = get_char("Letter:");
    bool yesno = isalpha(letter);

    if (yesno == true) {
        printf("True\n");
    } else {
        printf("False\n");
    }
}

...表示远程服务器虽然接受了连接但关闭了连接但未发送响应。


原因

此错误的背后可能有很多原因,其中一些原因如下:

  • 可能是远程系统太忙而无法处理请求,因此断开了连接。
  • 请求中可能缺少标头值/标头值无效,这会导致内部错误,并且服务器会关闭连接,而不是正常发送HTTP错误响应。
  • 由于应用程序随机断开连接,可能会导致网络延迟。

我在您的代码块中没有看到任何此类问题。但是我怀疑所有API设置均未正确启用。


解决方案

确保在工具(ZAP->工具->选项-> API)中启用了所有API设置:

ZAP_API_enable