简体   繁体   中英

Getting error in python code for automate owsap zap for the application

I am trying to automate owasp zap for scanning project to identify security vulnerability as per below article:

https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html

I am getting error in below line of code :-

zap.spider.scan(target)

Script source :-

https://github.com/zaproxy/zaproxy/wiki/ApiPython

Code I am using :-

#!/usr/bin/env python

import time
from pprint import pprint
from zapv2 import ZAPv2

# Here the target is defined and an instance of ZAP is created.
target = 'http://google.com/'
zap = ZAPv2()

# Use the line below if ZAP is not listening on 8090.
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'})

# ZAP starts accessing the target.
print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)

# The spider starts crawling the website for URLs
print 'Spidering target %s' % target
zap.spider.scan(target)

# Progress of spider
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
   print 'Spider progress %: ' + zap.spider.status

   time.sleep(400)

print 'Spider completed'

# Give the passive scanner a chance to finish
time.sleep(5)

# The active scanning starts
print 'Scanning target %s' % target
zap.ascan.scan(target)
while (int(zap.ascan.status) < 100):
   print 'Scan progress %: ' + zap.ascan.status

   time.sleep(600)

print 'Scan completed'

# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint(zap.core.alerts())

Error I am getting :-

root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing target http://google.com/ Spidering target http://google.com/ Traceback (most recent call last): File "website-scan.py", line 21, in zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File "build/bdist.linux-x86_64/egg/zapv2/ init .py", line 158, in _request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/ init .py", line 516, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in decode obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expectin g value: line 1 column 1 (char 0)

在此处输入图片说明

Please let me know If I am missing anything

http://google.com/ will redirect to something like https://google.com/ so you'll need to use that instead.

BTW, do you actually have permission to attack google.com?

What version of ZAP are you using, and how are you starting it?

As of ZAP 2.6.0 by default you will need to use an API key and can only connect from localhost. The script on the page you linked to has been updated to use an API key ( https://github.com/zaproxy/zaproxy/wiki/ApiPython )

If you dont want to use an API key, or need to connect from a remote machine then see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQapikey

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM