search

RedHatProductSecurity / rapidast

RapiDAST enables simple, continuous and fully automated application security testing
Apache License 2.0
59 stars 39 forks source link

Connection Refused error on linux with podman and openapi #222

Closed tommasop closed 1 month ago

tommasop commented 1 month ago

I've set up rapidast with this configuration file:

config:
  configVersion: 5

defectDojo:
  url: "http://localhost:8080"
  ssl: False
  authorization:
    username: "admin"
    password: "K9fuLeoBYEZjTrajg7T8s4"

application:
  shortName: "iXi_Center"
  url: "http://127.0.0.1:4000/api/"

general:
  container:
    type: "podman"

scanners:
  zap:
    apiScan:
      apis:
        apiFile: "/home/tommasop/code/work/rapidast/examples/ixi_openapi.json"

    passiveScan:
      # optional list of passive rules to disable
      disabledRules: "2,10015,10027,10096,10024,10098,10023"

    activeScan:
      policy: API-scan-minimal

    container:
      type: "podman"
      parameters:
        image: "ghcr.io/zaproxy/zaproxy:stable"

    report:
      format: ["json"]

    miscOptions:
      updateAddons: False
      additionalAddons: "ascanrulesBeta,postman"

    defectDojoExport:
      type: "reimport" 
      parameters:
        product_name: "iXi Center"
        engagement_name: "RapiDAST"
        auto_create_context: False

when I run the rapidast.py script I receive a lot of these errors:

    Job openapi target: http://127.0.0.1:4000/api/ error: Failed to access URL: http://127.0.0.1:4000/api/ixi_devices/00000014AB1904DD/tuned_files?filter[tuning_session][metadata][protocol_num]=22500000&filter[tuning_session][metadata][ecu_type_id]=3043&filter[tuning_session][metadata][params][sw_ver]=0008&filter[tuning_session][metadata][params][vr_file_patt]=MJ9DFHW000 _4B45Y112 : org.apache.hc.client5.http.HttpHostConnectException : Connect to http://127.0.0.1:4000 [/127.0.0.1] failed: Connection refused (Connection refused)
    Job openapi target: http://127.0.0.1:4000/api/ error: Failed to access URL: http://127.0.0.1:4000/api/ixi_devices/device_id/tuned_files/de2e69a3-49e3-4808-9169-4cf306e07a83 : org.apache.hc.client5.http.HttpHostConnectException : Connect to http://127.0.0.1:4000 [/127.0.0.1] failed: Connection refused (Connection refused)

But if I try to access the same urls throug browser I can access them correctly:

image

I've also tried with locahost with the same results.

I am using podman as you can see from the config file.

sfowl commented 1 month ago

@tommasop From within a container, with default networking config, 127.0.0.1 will resolve to localhost of that container, not localhost of the host machine. To reach services running on the host machine from inside a container try using an address like host.containers.internal, e.g.

https://stackoverflow.com/questions/58678983/accessing-host-from-inside-container

Note that the service still may not be reachable if it is bound to 127.0.0.1. The bind address might need to be changed to match host.containers.internal or 0.0.0.0 (though be careful of this as it will expose the service on all interfaces, i.e. be reachable from other devices)

tommasop commented 1 month ago

@sfowl thanks for the prompt reply.

Is it possible to pass parameters to the zap container in the container --> parameter section?

Thanks a lot

tommasop commented 1 month ago

Found the solution.

Podman has the host.containers.internal that works out of the box.

The working config file is:

config:
  configVersion: 5

defectDojo:
  url: "http://host.containers.internal:8080"
  ssl: False
  authorization:
    username: "admin"
    password: "K9fuLeoBYEZjTrajg7T8s4"

application:
  shortName: "iXi_Center"
  url: "http://host.containers.internal:4000/api/"

general:
  container:
    type: "podman"

scanners:
  zap:
    apiScan:
      apis:
        apiFile: "/home/tommasop/code/work/rapidast/examples/ixi_openapi.json"

    passiveScan:
      # optional list of passive rules to disable
      disabledRules: "2,10015,10027,10096,10024,10098,10023"

    activeScan:
      policy: API-scan-minimal

    container:
      type: "podman"
      parameters:
        image: "ghcr.io/zaproxy/zaproxy:stable"

    report:
      format: ["json"]

    miscOptions:
      updateAddons: False
      additionalAddons: "ascanrulesBeta,postman"

    defectDojoExport:
      type: "reimport" 
      parameters:
        product_name: "iXi Center"
        engagement_name: "RapiDAST"
        auto_create_context: False