[英]Scanning using OWASP Zap Api
我正在嘗試使用腳本來掃描目標並執行主動掃描作為概念證明。 我已經完成了下面的實現,但我無法讓它工作,我不確定為什么它不起作用? 我有 Zap2Docker 正在運行並且可以通過 api 訪問它,我也可以通過 gui 訪問從 gui 掃描目標工作正常,但是我的腳本無法在 api 上工作,請參見下面的內容:
import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ApiResponseList;
import org.zaproxy.clientapi.core.ClientApi;
import java.util.List;
public class Spider {
private static String ZAP_ADDRESS;// = "ZAPContainerIp";
private static int ZAP_PORT;// = 8090;
// Change to match the API key set in ZAP, or use NULL if the API key is disabled
private static String ZAP_API_KEY;// = "change me";
// The URL of the application to be tested
private static String TARGET;// = "https://targetip.com";
private static boolean scanComplete;
public static void main(String[] args) {
ZAP_ADDRESS = args[0];
ZAP_PORT = Integer.parseInt(args[1]);
ZAP_API_KEY = args[2];
TARGET = args[3];
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// Start spidering
System.out.println("Spidering target : " + TARGET);
ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
String scanID;
int progress;
// The scan returns a scan id to support concurrent scanning
scanID = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(1000);
progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
System.out.println("Spider progress : " + progress + "%");
if (progress >= 100) {
scanComplete = true;
break;
}
}
System.out.println("Spider completed");
// If required post process the spider results
List<ApiResponse> spiderResults = ((ApiResponseList) api.spider.results(scanID)).getItems();
if (scanComplete) {
ActiveScan activeScan = new ActiveScan();
activeScan.attack(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY, TARGET);
}
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
掃描:
import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ClientApi;
import java.lang.annotation.Target;
import java.nio.charset.StandardCharsets;
public class ActiveScan {
private int zapPort;// = 8090;
private String zapApiKey;// = null;
private String zapAddress;// = "localhost";
private String target;// = "https://targetip.com";
public ActiveScan(int zapPort, String zapApiKey, String zapAddress, String target) {
this.zapPort = zapPort;
this.zapApiKey = zapApiKey;
this.zapAddress = zapAddress;
this.target = target;
}
public ActiveScan() {
}
public void attack(String zapAddress, int zapPort, String zapApiKey, String target){
ClientApi api = new ClientApi(zapAddress, zapPort, zapApiKey);
try {
System.out.println("Active Scanning target : " + target);
ApiResponse resp = api.ascan.scan(target, "True", "False", null, null, null);
String scanid;
int progress;
// Scan returns a scan id to support concurrent scanning
scanid = ((ApiResponseElement) resp).getValue();
// Poll status until it completes
while (true) {
Thread.sleep(5000);
progress =
Integer.parseInt(
((ApiResponseElement) api.ascan.status(scanid)).getValue());
System.out.println("Active Scan progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Active Scan complete");
// Print vulnerabilities found by the scanning
System.out.println("Alerts:");
System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
運行時出現錯誤:
java -jar WafTestSuite.jar "zapurl" "8090" "change-me-9203935709" "10.10.10.254:3000"; Spidering target : 10.10.8.254:3000
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:366)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.http://java:350)
at org.zaproxy.clientapi.gen.Spider.scan(Spider.http://java:242)
at Spider.main(Spider.java:28)
Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.http://www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.http://java:399)
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:364)
我很感激任何幫助,謝謝。
默認情況下,ZAP 不接受到 API 的遠程連接。 您需要啟用它們並設置合適的 API 密鑰(或禁用它)。 此常見問題解答中的更多詳細信息: https : //www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/
這個錯誤信息...
java -jar WafTestSuite.jar "zapurl" "8090" "change-me-9203935709" "10.10.10.254:3000"; Spidering target : 10.10.8.254:3000
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:366)
...暗示遠程服務器接受並關閉連接而不發送響應。
此錯誤背后可能有很多原因,其中一些原因如下:
但是,根據代碼塊中zap代理的配置,很明顯,盡管您將ZAP_API_KEY
初始化為字符串,但您並未分配任何值。 因此錯誤。
所以基本上你配置 ZAP 的代碼塊將是:
private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8080;
// Change to match the API key set in ZAP, or use NULL if the API key is disabled
private static final String ZAP_API_KEY = "abcdefghijklmnop123456789";
// The URL of the application to be tested
private static final String TARGET = "http://localhost:3000";
根據文檔,自 ZAP 2.4.1 版可用以來,默認情況下需要配置API 密鑰,以便調用對 ZAP 進行更改的 API 操作。 此外,隨着 ZAP 2.6.0 版的推出,默認情況下需要API 密鑰才能調用任何 API 操作。 實施此安全功能是為了防止惡意站點調用 ZAP API。 API 安全選項,包括 API 密鑰,可以在 API 選項屏幕(ZAP 代理接口 -> 工具 -> 選項 -> API)中找到:
您可以通過以下不同方式更改 API 密鑰:
通過使用以下命令從命令行設置 API 密鑰:
-config api.key=change-me-9203935709
使用以下命令從命令行禁用 API 密鑰:
-config api.disablekey=true
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.