adding auth hook to command results in "File not found" for the auth.loginurl zap param

ICTU / zap2docker-auth-weekly

Zap baseline scanner in Docker with authentication

Apache License 2.0

104 stars 70 forks source link

adding auth hook to command results in "File not found" for the auth.loginurl zap param #13

Closed n7902 closed 4 years ago

n7902 commented 4 years ago

Running this command works, displaying that it's loading the provided params when it runs.

docker run --network="host" --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -t http://myexample.com -z "auth.loginurl=http://myexample/#/login "auth.username="admin" auth.username_field="email" auth.password_field="password" auth.password="admin123""

But adding the switch for the --auth.hook after -t http:myexample.com results in the below error, which appears to view the provided login page as an object.


java.lang.Exception: File not found 'auth.loginurl=http://myexamplesite/#/login'
        at org.parosproxy.paros.CommandLine.parse(CommandLine.java:302)
        at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1026)
        at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:88)
        at java.lang.Thread.run(Thread.java:748)
5697 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 0.0.0.0:41046```

n7902 commented 4 years ago

Fixed, an extra tick in the auth.loginurl switch was the culprit, cheers

sai-yanamandra commented 3 years ago

Can you pleas send the exact command that fixed the issue? I am also facing the same issue here

dicksnel commented 3 years ago

@sai-yanamandra are you using the latest version? Error messages were recently improved. Please provide your full command.

rameshrangaswamy commented 2 years ago

@n7902 Could you please share the Fix on auth.loginurl switch am facing same issue

dicksnel commented 2 years ago

@rameshrangaswamy can you share your full command and output?

rameshrangaswamy commented 2 years ago

@dicksnel here it is please help in resolving this.

chmod -R 777 ./ docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 \ -t https://example.net \ -r testreport.html \ -d \ --hook=/zap/auth_hook.py \ -x OWASP-ZAP-Report.xml \ -z "auth.loginurl=https://example.net/signin.aspx \ auth.username="username" \ auth.password="password" \ auth.username_field="txtEmail" \ auth.password_field="txtPassword" \ auth.submit_field="submit" \ auth.exclude=".signout." auth.include="https://example.*"

dicksnel commented 2 years ago

@rameshrangaswamy you are missing a closing " at the end. The entire -z arg should be quoted:

docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60
-t https://example.net \
-r testreport.html \
-d \
--hook=/zap/auth_hook.py \
-x OWASP-ZAP-Report.xml \
-z "auth.loginurl=https://example.net/signin.aspx \
auth.username="username" \
auth.password="password" \
auth.username_field="txtEmail" \
auth.password_field="txtPassword" \
auth.submit_field="submit" \
auth.exclude=".signout."
auth.include="https://example.*""