在python代码中获取错误以为应用程序自动化owsap zap
[英]Getting error in python code for automate owsap zap for the application
问题描述
I am trying to automate owasp zap for scanning project to identify security vulnerability as per below article: 
我正在尝试自动化owasp zap来扫描项目,以根据以下文章识别安全漏洞:
https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html
I am getting error in below line of code :- 我在下面的代码行中收到错误:-
zap.spider.scan(target)
Script source :- 脚本来源:-
https://github.com/zaproxy/zaproxy/wiki/ApiPython https://github.com/zaproxy/zaproxy/wiki/ApiPython
Code I am using :- 我正在使用的代码:-
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
# Here the target is defined and an instance of ZAP is created.
target = 'http://google.com/'
zap = ZAPv2()
# Use the line below if ZAP is not listening on 8090.
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'})
# ZAP starts accessing the target.
print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)
# The spider starts crawling the website for URLs
print 'Spidering target %s' % target
zap.spider.scan(target)
# Progress of spider
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
print 'Spider progress %: ' + zap.spider.status
time.sleep(400)
print 'Spider completed'
# Give the passive scanner a chance to finish
time.sleep(5)
# The active scanning starts
print 'Scanning target %s' % target
zap.ascan.scan(target)
while (int(zap.ascan.status) < 100):
print 'Scan progress %: ' + zap.ascan.status
time.sleep(600)
print 'Scan completed'
# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint(zap.core.alerts())
Error I am getting :- 我得到的错误是:-
root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing target http://google.com/ Spidering target http://google.com/ Traceback (most recent call last): File "website-scan.py", line 21, in zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File "build/bdist.linux-x86_64/egg/zapv2/ init .py", line 158, in _request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/ init .py", line 516, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in decode obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expectin
Please let me know If I am missing anything 请让我知道如果我错过了什么
1 个解决方案
解决方案1
1 已采纳 2017-08-09 10:45:41
http://google.com/ will redirect to something like https://google.com/ so you'll need to use that instead. http://google.com/将重定向到类似https://google.com/的名称,因此您需要使用它。
BTW, do you actually have permission to attack google.com? 顺便说一句,您实际上是否有权攻击google.com?
What version of ZAP are you using, and how are you starting it? 您正在使用哪个版本的ZAP,如何启动它?
As of ZAP 2.6.0 by default you will need to use an API key and can only connect from localhost. 从ZAP 2.6.0开始,默认情况下,您将需要使用API密钥,并且只能从本地主机连接。 The script on the page you linked to has been updated to use an API key ( https://github.com/zaproxy/zaproxy/wiki/ApiPython ) 您链接到的页面上的脚本已更新为使用API密钥( https://github.com/zaproxy/zaproxy/wiki/ApiPython )
If you dont want to use an API key, or need to connect from a remote machine then see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQapikey 如果您不想使用API密钥,或者需要从远程计算机连接,请参阅以下常见问题解答: https : //github.com/zaproxy/zaproxy/wiki/FAQapikey
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.