search

ICTU / zap2docker-auth-weekly

Zap baseline scanner in Docker with authentication
Apache License 2.0
104 stars 70 forks source link

What i doing wrong? #34

Closed alex4561 closed 2 years ago

alex4561 commented 3 years ago

Hello! Can you help me please. I make scan.sh file with:

#!/bin/bash

docker run --rm -v $(pwd)/zap/rep/:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j \
-t https://site.test/ \
-r testreport--$(date +%Y-%m-%d).html \
--hook=/zap/auth_hook.py \
-z "auth.loginurl=https://site.test/ \
   auth.username="login"" \
   auth.password="password" \
   auth.username_field="email" \
   auth.password_field="password" \
   auth.submit_field="submit" \
   auth.auto=1

Then start it. Log:

2021-06-04 10:52:51,990 Start display
2021-06-04 10:52:52,073 Start webdriver
2021-06-04 10:52:56,779 authenticate using webdriver against URL: https://site.test/
2021-06-04 10:53:04,155 automatically finding login elements
2021-06-04 10:53:04,155 Trying to find element username
2021-06-04 10:53:04,156 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='username') and (@type='text' or @type='email' or not(@type))]
2021-06-04 10:53:04,177 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='username') and (@type='text' or @type='email' or not(@type))]
2021-06-04 10:53:04,204 Found element (//input[((@type='text' or @type='email') and contains(@name,'ser')) or (@type='text' or @type='email')])[1] by default xpath
2021-06-04 10:53:04,481 Filled the username element
2021-06-04 10:53:04,481 Trying to find element login
2021-06-04 10:53:04,481 Built xpath: //*[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]
2021-06-04 10:53:04,510 Built xpath: //*[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]
2021-06-04 10:53:04,544 Found element //*[@type='submit' or @type='button' or button] by default xpath
2021-06-04 10:53:04,836 Clicked the login element
2021-06-04 10:53:09,841 Finding authentication cookies
2021-06-04 10:53:09,886 Active session: auth-session
2021-06-04 10:53:09,887 Finding authentication headers

It looks like everything is ok, but: 

*** You are running in headless mode.
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: libEGL missing
[GFX1-]: glxtest: libEGL missing
1622804000604   Marionette  INFO    Marionette enabled

(/usr/lib/firefox/firefox:586): GLib-GObject-CRITICAL **: 10:53:21.598: g_object_set: assertion 'G_IS_OBJECT (object)' failed

(/usr/lib/firefox/firefox:610): GLib-GObject-CRITICAL **: 10:53:21.740: g_object_set: assertion 'G_IS_OBJECT (object)' failed
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new Error("", "(unknown module)"))
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
1622804003890   Marionette  INFO    Listening on port 36047
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt

And the whole log is filled [GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt

What I do wrong?=)

I have tried running it on Mac and Ubuntu Server without GUI.

Thank you!

snehadominic commented 2 years ago

@alex4561 Facing the same issue. Have you got this fixed.? Please share the update. It would be really helpful.

I am also getting the below error. ERROR [Errno 13] Permission denied: '/zap/wrk/testreport.html'

dicksnel commented 2 years ago

@alex4561 I think this is only some spam not actual errors for ZAP: https://github.com/mozilla/geckodriver/issues/1898

Or is the report not generated in the end?

@snehadominic You can that error because the ZAP container cannot write the report. Try -u root in the docker run command.

snehadominic commented 2 years ago

@dicksnel Thanks for quick help! -u root fixed the report issue.

As a question, what does below logs mean? I am seeing it even when I tried running scan against the demo URL in command example.

2021-07-01T15:17:07.0687391Z WARNING: An illegal reflective access operation has occurred
2021-07-01T15:17:07.0688810Z WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/zap/./plugin/spiderAjax-release-23.4.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
2021-07-01T15:17:07.0689453Z WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
2021-07-01T15:17:07.0690038Z WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
2021-07-01T15:17:07.0690412Z WARNING: All illegal access operations will be denied in a future release
snehadominic commented 2 years ago

@dicksnel A quick update, using '-u root' didn't fix the issue completely. After using '-u root' in the docker run command, login is failing. Scan is happening without authentication. Once I remove '-u root', I could see that login is successful, but then permission to write report is not present. Please help.

Adding authentication error below:

2021-07-01T15:21:21.3833009Z 2021-07-01 15:21:21,382 Start display
2021-07-01T15:21:21.4428672Z 2021-07-01 15:21:21,441 Start webdriver
2021-07-01T15:21:21.5567103Z Traceback (most recent call last):
2021-07-01T15:21:21.5567648Z   File "/zap/zap_auth.py", line 75, in login
2021-07-01T15:21:21.5568041Z     self.setup_webdriver(config)
2021-07-01T15:21:21.5568463Z   File "/zap/zap_auth.py", line 63, in setup_webdriver
2021-07-01T15:21:21.5568913Z     self.driver = webdriver.Firefox(profile)
2021-07-01T15:21:21.5570166Z   File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/firefox/webdriver.py", line 170, in __init__
2021-07-01T15:21:21.5570704Z     RemoteWebDriver.__init__(
2021-07-01T15:21:21.5571505Z   File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/webdriver.py", line 157, in __init__
2021-07-01T15:21:21.5572082Z     self.start_session(capabilities, browser_profile)
2021-07-01T15:21:21.5572918Z   File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/webdriver.py", line 252, in start_session
2021-07-01T15:21:21.5573506Z     response = self.execute(Command.NEW_SESSION, parameters)
2021-07-01T15:21:21.5574332Z   File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
2021-07-01T15:21:21.5574885Z     self.error_handler.check_response(response)
2021-07-01T15:21:21.5575719Z   File "/usr/local/lib/python3.8/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
2021-07-01T15:21:21.5576295Z     raise exception_class(message, screen, stacktrace)
2021-07-01T15:21:21.5576867Z selenium.common.exceptions.WebDriverException: Message: Process unexpectedly closed with status 1
2021-07-01T15:21:21.5577212Z 
2021-07-01T15:21:21.5577842Z 2021-07-01 15:21:21,555 error in login: None
dicksnel commented 2 years ago

Are you sure the Docker container can reach the host you are scanning? Can you paste your full command?

vanovarderesyan commented 1 year ago

image

hi all I have run the ZAP with the help of docker and I get this error (find the screen) What solutions you can offer . I have tried to scan the login pages