search

ICTU / zap2docker-auth-weekly

Zap baseline scanner in Docker with authentication
Apache License 2.0
104 stars 70 forks source link

Getting unexpected EOF while looking for matching `"' #33

Closed vinilnarayan closed 3 years ago

vinilnarayan commented 3 years ago

Hi, I'm getting below error while running with

*docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j \ -t http://zero.webappsecurity.com/login.html \ -r testreport.html \ --hook=/zap/auth_hook.py \ -z "auth.loginurl=http://zero.webappsecurity.com/login.html \ auth.username="username" \ auth.password="password" \ auth.username_field="user_login" \ auth.password_field="user_password" \ auth.submit_field="submit" \ auth.exclude=".logout." auth.include="https://api.website.net."**

Error : _.jenkins/workspace/NewDocker-ZAP-Pipelinesession2@2@tmp/durable-5da50a65/script.sh: line 5: unexpected EOF while looking for matching `"'

dicksnel commented 3 years ago

Hi, you are missing the closing quotes for the -z argument. So you need to add another “ at the end.

vinilnarayan commented 3 years ago

@dicksnel

Ohhhh noooooo... Accidentally I missed and its working fine now..

vinilnarayan commented 3 years ago

Hi,

Have you faced the issue which I mentioned din below.. I have tried to understand the issue. but could not get any solution.

raise exception_class(message, screen, stacktrace) selenium.common.exceptions.WebDriverException: Message: Reached error page: about:neterror?e=nssFailure2&u=https%3A//zero.webappsecurity.com/auth/accept-certs.html%3Fuser_token%3De9675ea7-8f36-40be-bd60-90fda2f96371&c=UTF-8&d=%20

2021-05-06 09:55:25,130 error in login: None WARNING: An illegal reflective access operation has occurred

dicksnel commented 3 years ago

Can you post the full command and output with -d ? Seems like it cannot load your site because of an invalid certificate.

vinilnarayan commented 3 years ago

Hi, The command which I tried is 

docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j \
  -t http://zero.webappsecurity.com/ \
  -r testreport.html \
   --hook=/zap/auth_hook.py \
  -z "auth.loginurl=http://zero.webappsecurity.com/login.html \
      auth.username="username" \
      auth.password="password" \
      auth.username_field="user_login" \
      auth.password_field="user_password" \
      auth.submit_field="submit" \
      auth.exclude=".*logout.*""

And the output is 

+ docker run --rm -v /Users/vinilnarayan/.jenkins/workspace/NewDocker-ZAP-Pipeline_session2@2:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j -t http://zero.webappsecurity.com/ -r testreport.html --hook=/zap/auth_hook.py -z 'auth.loginurl=http://zero.webappsecurity.com/login.html       auth.username=username       auth.password=password       auth.username_field=user_login       auth.password_field=user_password       auth.submit_field=submit       auth.exclude=.*logout.*'
2021-05-06 09:55:00,481 Extra params passed by ZAP: ['-config', 'spider.maxDuration=1', '-addonupdate', '-addoninstall', 'pscanrulesBeta', 'auth.loginurl=http://zero.webappsecurity.com/login.html', 'auth.username=username', 'auth.password=password', 'auth.username_field=user_login', 'auth.password_field=user_password', 'auth.submit_field=submit', 'auth.exclude=.*logout.*']
2021-05-06 09:55:00,481 _get_zap_param auth.loginurl: http://zero.webappsecurity.com/login.html
2021-05-06 09:55:00,481 _get_zap_param auth.username: username
2021-05-06 09:55:00,481 _get_zap_param auth.password: password
2021-05-06 09:55:00,481 _get_zap_param auth.username_field: user_login
2021-05-06 09:55:00,482 _get_zap_param auth.password_field: user_password
2021-05-06 09:55:00,482 _get_zap_param auth.submit_field: submit
2021-05-06 09:55:00,482 _get_zap_param auth.exclude: ['.*logout.*']
May 06, 2021 9:55:06 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
2021-05-06 09:55:10,907 Included http://zero.webappsecurity.com/.*
2021-05-06 09:55:10,942 Excluded .*logout.*
2021-05-06 09:55:10,942 Start display
2021-05-06 09:55:11,008 Start webdriver
2021-05-06 09:55:15,086 authenticate using webdriver against URL: http://zero.webappsecurity.com/login.html
2021-05-06 09:55:22,484 automatically finding login elements
2021-05-06 09:55:22,484 Trying to find element user_login
2021-05-06 09:55:22,484 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='user_login') and (@type='text' or @type='email' or not(@type))]
2021-05-06 09:55:22,507 Found element user_login by id
2021-05-06 09:55:22,546 Filled the user_login element
2021-05-06 09:55:22,546 Trying to find element user_password
2021-05-06 09:55:22,546 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='user_password') and (@type='text' or @type='password' or not(@type))]
2021-05-06 09:55:22,555 Found element user_password by id
2021-05-06 09:55:22,578 Filled the user_password element
2021-05-06 09:55:22,578 Trying to find element submit
2021-05-06 09:55:22,579 Built xpath: //*[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='submit') and (@type='submit' or @type='button' or button)]
2021-05-06 09:55:22,589 Built xpath: //*[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='submit') and (@type='submit' or @type='button' or button)]
2021-05-06 09:55:22,594 Found element submit by name
Traceback (most recent call last):
  File "/zap/zap_auth.py", line 77, in login
    self.auto_login(config)
  File "/zap/zap_auth.py", line 163, in auto_login
    self.submit_form(config.auth_submitaction, config.auth_submit_field_name, username_element)
  File "/zap/zap_auth.py", line 171, in submit_form
    element.click()
  File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/webelement.py", line 80, in click
    self._execute(Command.CLICK_ELEMENT)
  File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute
    return self._parent.execute(command, params)
  File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
    self.error_handler.check_response(response)
  File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
    raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.WebDriverException: Message: Reached error page: about:neterror?e=nssFailure2&u=https%3A//zero.webappsecurity.com/auth/accept-certs.html%3Fuser_token%3De9675ea7-8f36-40be-bd60-90fda2f96371&c=UTF-8&d=%20

2021-05-06 09:55:25,130 error in login: None
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/zap/./plugin/spiderAjax-release-23.4.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
1620294934433   geckodriver INFO    Listening on 127.0.0.1:21597
1620294934780   mozrunner::runner   INFO    Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofileFBBUdS"
*** You are running in headless mode.
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: libEGL missing
[GFX1-]: glxtest: libEGL missing

(/usr/lib/firefox/firefox:501): GLib-GObject-CRITICAL **: 09:55:35.768: g_object_set: assertion 'G_IS_OBJECT (object)' failed

(/usr/lib/firefox/firefox:521): GLib-GObject-CRITICAL **: 09:55:35.867: g_object_set: assertion 'G_IS_OBJECT (object)' failed
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new Error("", "(unknown module)"))
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))

(/usr/lib/firefox/firefox:609): GLib-GObject-CRITICAL **: 09:55:37.411: g_object_set: assertion 'G_IS_OBJECT (object)' failed
1620294937472   Marionette  INFO    Listening on port 40501
1620294937514   Marionette  WARN    TLS certificate errors will be ignored for this session

(/usr/lib/firefox/firefox:764): GLib-GObject-CRITICAL **: 09:56:18.537: g_object_set: assertion 'G_IS_OBJECT (object)' failed

(/usr/lib/firefox/firefox:840): GLib-GObject-CRITICAL **: 09:56:39.678: g_object_set: assertion 'G_IS_OBJECT (object)' failed
1620295006811   Marionette  INFO    Stopped listening on port 40501
Total of 29 URLs
dicksnel commented 3 years ago

This error is due to the fact that the website is using TLS1.1 or older, which is deprecated and now blocked behind a warning by Firefox and Chrome.

I just pushed a commit which ignores this warning. Please pull the latest Docker image and try again.

vinilnarayan commented 3 years ago

Thank you soo much for the quick response.

Sorry , I'm new to docker actually. :(

can i use the same command to pull latest docker image?

docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j \
  -t http://zero.webappsecurity.com/ \
  -r testreport.html \
   --hook=/zap/auth_hook.py \
  -z "auth.loginurl=http://zero.webappsecurity.com/login.html \
      auth.username="username" \
      auth.password="password" \
      auth.username_field="user_login" \
      auth.password_field="user_password" \
      auth.submit_field="submit" \
      auth.exclude=".*logout.*""
vinilnarayan commented 3 years ago

Hi @dicksnel ,

With my limited knowledge, i have updated the command.

docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly:latest zap-baseline.py -I -j \
  -t http://zero.webappsecurity.com/ \
  -r testreport.html \
   --hook=/zap/auth_hook.py \
  -z "auth.loginurl=http://zero.webappsecurity.com/login.html \
      auth.username="username" \
      auth.password="password" \
      auth.username_field="user_login" \
      auth.password_field="user_password" \
      auth.submit_field="submit" \
      auth.exclude=".*logout.*""

and still getting 

raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.WebDriverException: Message: Reached error page: about:neterror?e=nssFailure2&u=https%3A//zero.webappsecurity.com/auth/accept-certs.html%3Fuser_token%3D3180a52e-017f-4095-b8a3-4ec039fd8a6d&c=UTF-8&d=%20

2021-05-07 10:03:13,500 error in login: None
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/zap/./plugin/spiderAjax-release-23.4.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
1620381804040   geckodriver INFO    Listening on 127.0.0.1:30153
1620381804641   mozrunner::runner   INFO    Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofileA5Wtmg"
*** You are running in headless mode.
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: libEGL missing
[GFX1-]: glxtest: libEGL missing
(/usr/lib/firefox/firefox:526): GLib-GObject-CRITICAL **: 10:03:26.711: g_object_set: assertion 'G_IS_OBJECT (object)' failed
(/usr/lib/firefox/firefox:546): GLib-GObject-CRITICAL **: 10:03:26.878: g_object_set: assertion 'G_IS_OBJECT (object)' failed
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new Error("", "(unknown module)"))
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
(/usr/lib/firefox/firefox:610): GLib-GObject-CRITICAL **: 10:03:29.603: g_object_set: assertion 'G_IS_OBJECT (object)' failed
1620381809642   Marionette  INFO    Listening on port 40285
1620381809729   Marionette  WARN    TLS certificate errors will be ignored for this session
1620381848068   Marionette  INFO    Stopped listening on port 40285
Total of 22 URLs
dicksnel commented 3 years ago

Hi, you need to pull the latest image first:

docker pull ictu/zap2docker-weekly:latest

vinilnarayan commented 3 years ago

@dicksnel ,

Its really cool... very interesting.. Thanks for the help :)