ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

net.continuumsecurity.proxy.ZAProxyScanner clear() method implementation broken #1611

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.Create ZAProxyScanner instance via zap-java-api 
(https://github.com/continuumsecurity/zap-java-api)
2.After creating instance (let's say instance is called scanningProxy), call 
scanningProxy.clear() in order to start a new session
3.If source is not in build path you will get "api key is invalid" but after 
adding source you'll get NoSuchMethodError as the clear() method calls 
clientApi.ascan.removeAllScans(null); in which removeAllScans has been removed 
from Ascan class.

public void clear() throws ProxyException {
        try {
            clientApi.ascan.removeAllScans(null); <-------------------HERE
            clientApi.core.newSession(apiKey,"","");
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

What is the expected output? What do you see instead?

I shoudl expect a new session established but its not working as the new 
version of zap-api-2.4-v1.jar doesn't contain removeAllScans which causes java 
exception.

What version of the product are you using? On what operating system?

zap-api-2.4-v1.jar

 <groupId>net.continuumsecurity</groupId>
    <artifactId>proxy</artifactId>
    <version>2.4-SNAPSHOT</version>

Please provide any additional information below.

My code used for establishing connection is:

 /**
     * void connectToZAPProxy()
     * <p>
     * Connects to the ZAP proxy.
     * 
     * <p>
     * The method gets the zap configuration instance's host and port and attempts to start connection to the ZAP proxy.
     */
    public void connectToZAPProxy() {

        String host = zapConf.getZapHost();
        String port = zapConf.getZapPort();

        API api = new API();
        api.setProxy(new java.net.Proxy(java.net.Proxy.Type.HTTP, new InetSocketAddress(host, Integer.parseInt(port))));

        String failMsg =
                "connectToZAPProxy(): Failed to connect to ZAP on Host: " + host + " Port: " + port
                        + ". Make sure ZAP has been started on configured host:port specifed in this error message.";
        try {
            if (scanningProxy == null) {
                scanningProxy = new ZAProxyScanner(host, Integer.parseInt(port), zapConf.getZapAPIKey());
                scanningProxy.clear(); // Start a new session

                System.out.println("connectToZAPProxy(): scanningProxy.getLastScannerScanId() = " + scanningProxy.getLastScannerScanId());

                zapSpider = (Spider) scanningProxy;

                System.out.println("connectToZAPProxy(): scanningProxy.getLastSpiderScanId() = " + zapSpider.getLastSpiderScanId());

                zapConf.setZapStarted(true);
                Utilities.logInfoMessage("Created client to ZAP API");
            } else {
                Utilities
                        .logInfoMessage("connectToZAPProxy(): ZAP connection is already established.  "
                                + "Therefore reusing existing connection.");
            }

        } catch (ProxyException e) {
            if (zapConf.getZapForce()
                    && !zapForceStartedAlready
                    && (zapConf.getZapHost().toLowerCase().equals("localhost") || zapConf.getZapHost().toLowerCase()
                            .equals(LOCAL_IP))) {
                Utilities.logWarningMessage("connectToZAPProxy(): Forcing local ZAP instacne to start at Host: " + host
                        + " Port: " + port);
                forceZAPConfiguredToStart();
            } else {
                Utilities.logSevereMessageThenFail(failMsg + "Stacktrace: " + Utilities.convertStackTraceToString(e));
            }

        } catch (IllegalArgumentException e) {
            Utilities.logSevereMessageThenFail(failMsg + "Stacktrace: " + Utilities.convertStackTraceToString(e));
            fail(failMsg);
        }

    }

Original issue reported on code.google.com by majones...@gmail.com on 21 Apr 2015 at 3:52

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Here are the other broken methods in net.continuumsecurity.proxy.ZAProxyScanner 
class as the signatures in new org.zaproxy.clientapi.core.ClientAPI have 
changed:

@Override
    public void setScannerAttackStrength(String scannerId, String strength) throws ProxyException {
        try {
            clientApi.ascan.setScannerAttackStrength(apiKey,scannerId, strength,null); <------HERE
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException("Error occurred for setScannerAttackStrength", e);
        }
    }

    @Override
    public void setScannerAlertThreshold(String scannerId, String threshold) throws ProxyException {
        try {
            clientApi.ascan.setScannerAlertThreshold(apiKey, scannerId, threshold,null);<------HERE
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

@Override
    public void disableAllScanners() throws ProxyException {
        try {
            ApiResponse response = clientApi.pscan.setEnabled(apiKey,"false");
            response = clientApi.ascan.disableAllScanners(apiKey,null);<------HERE
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

    @Override
    public void enableAllScanners() throws ProxyException {
        try {
            clientApi.pscan.setEnabled(apiKey,"true");
            clientApi.ascan.enableAllScanners(apiKey,null);<------HERE
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

 public void scan(String url) throws ProxyException {
         try {
            clientApi.ascan.scan(apiKey,url, "true", "false",null,null,null);<------HERE
         } catch (ClientApiException e) {
             e.printStackTrace();
             throw new ProxyException(e);
         }
     }

    public int getScanProgress(int id) throws ProxyException {
        try {
            ApiResponseList response = (ApiResponseList)clientApi.ascan.scans();<------HERE
            return new ScanResponse(response).getScanById(id).getProgress();
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

    public void clear() throws ProxyException {
        try {
            clientApi.ascan.removeAllScans(null);<------HERE
            clientApi.core.newSession(apiKey,"","");
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

@Override
    public void spider(String url) {
        try {
            clientApi.spider.scan(apiKey,url,null);<------HERE
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

@Override
    public int getLastScannerScanId() {
        try {
            ApiResponseList response = (ApiResponseList)clientApi.ascan.scans();<------HERE
            return new ScanResponse(response).getLastScan().getId();
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

Original comment by majones...@gmail.com on 21 Apr 2015 at 6:13

GoogleCodeExporter commented 9 years ago
The proxy project pom dependency:

 <<dependency>
            <groupId>org.owasp</groupId>
            <artifactId>zaproxy-client-api</artifactId>
            <version>2.4.1</version>
            <scope>system</scope>
            <systemPath>${project.basedir}/lib/zap-api-2.4-v1.jar</systemPath>
        </dependency>

is pointing to a jar that appears to be an older version but the name of .jar 
is correct.  Unless the real issue is things are not in synch?

Original comment by majones...@gmail.com on 21 Apr 2015 at 6:16

GoogleCodeExporter commented 9 years ago
It's working for me, that is, calling ZAProxyScanner.clear() does not throw any 
exception.

Are you sure that there's no older ZAP API library in the classpath?

The class Ascan does have the method removeAllScans(String) [1] also double 
checked with the actual class file contained in zap-api-2.4-v1.jar.
The same for the other methods.

[1] 
https://code.google.com/p/zaproxy/source/browse/branches/2.4/src/org/zaproxy/cli
entapi/gen/Ascan.java#267

Original comment by THC...@gmail.com on 21 Apr 2015 at 6:25

GoogleCodeExporter commented 9 years ago
Ahhh you know what....I imported workspace from here:

http://sourceforge.net/projects/zaproxy/files/workspace/

and I just saw there is an older copy there, hence, what's throwing things off. 
Removing workspace code from build path/project Testing with actual jar...keep 
u posted shortly...Thanks btw for pointing out this..

Original comment by majones...@gmail.com on 21 Apr 2015 at 7:31

GoogleCodeExporter commented 9 years ago
OK...after removing outdated workspace (we need to update new workspace here 
btw http://sourceforge.net/projects/zaproxy/files/workspace/) and ensured 
project was using zap-api-2.4-v1.jar directly, I get teh below exception:

org.zaproxy.clientapi.core.ClientApiException: Invalid or missing API key 
(bad_api_key)
    at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
    at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
    at org.zaproxy.clientapi.gen.Ascan.removeAllScans(Unknown Source)
    at net.continuumsecurity.proxy.ZAProxyScanner.clear(ZAProxyScanner.java:212)
    at com.nbcuni.test.webdriver.ZAPScanner.connectToZAPProxy(ZAPScanner.java:379)
    at com.nbcuni.test.webdriver.ZAPScanner.enableProxyScan(ZAPScanner.java:858)
    at com.nbcuni.test.clovis.application.create.TC3167_CreateNewApplicationAndValidate.test(TC3167_CreateNewApplicationAndValidate.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:84)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:714)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:901)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1231)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Also, I started Zaproxy manually beforehand so the proxy was up and running at 
the time locally.  I also generated different api keys but no luck.  

Another thing I noticed is I;m not able to access API UI which is supposed to 
be accesible at http://api/ or http://api/UI/core/.  I added host and port but 
still was not able to access?

Original comment by majones...@gmail.com on 21 Apr 2015 at 9:24

GoogleCodeExporter commented 9 years ago
The above exception happens when calling clear()

Original comment by majones...@gmail.com on 21 Apr 2015 at 9:25

GoogleCodeExporter commented 9 years ago
Right, the workspace should be updated. I guess that will be done after the 
migration from Google Code.

Ah, yeah, that's caused by an issue in zap-java-api.
There are some API calls that are missing the API key:
 - In ZAProxyScanner.clear() when calling Ascan.removeAllScans(String);
 - In ZAProxyScanner.deleteAlerts() when calling Core.deleteAllAlerts(String);
 - In ZAProxyScanner.getXmlReport() when calling Core.xmlreport(String).
I think that's all.

To access the API UI you should use:
http://zap/UI
while proxying through ZAP or if you are not proxying, just access the 
address/port that ZAP is listening at, for example:
http://localhost:8080/UI

Original comment by THC...@gmail.com on 21 Apr 2015 at 10:05

GoogleCodeExporter commented 9 years ago
Ahhh OK.  After looking further, you are right as I see it was passing null
vs the apiKey.  I added the the apiKey to:

 public void clear() throws ProxyException {
        try {
            clientApi.ascan.removeAllScans(apiKey);
            clientApi.core.newSession(apiKey,"","");
        } catch (ClientApiException e) {
            e.printStackTrace();
            throw new ProxyException(e);
        }
    }

but still got the same exception.  I also checked out the zap-api source
via svn but having dependency issues in which I'm trying to resolve.  I'm
thinking the issue is my projects are mavenized and the source is not which
is causing me issues.  I know the workspace zip worked but its outdated.
Any pointers on how to add source to mavenized project?

Thanks BTW for the response :-)

Original comment by majones...@gmail.com on 22 Apr 2015 at 4:08

GoogleCodeExporter commented 9 years ago
Have just committed a new version of java-zap-api with the null instances 
replaced by apiKey.

Original comment by stephe...@gmail.com on 22 Apr 2015 at 6:19

GoogleCodeExporter commented 9 years ago
OK sweet! testing it out shortly after lunch...keep you posted...

Original comment by majones...@gmail.com on 22 Apr 2015 at 7:09

GoogleCodeExporter commented 9 years ago
Might be late but, regarding the source, have you tried updated the workspace? 
You should be able to "svn update" the projects (or from within Eclipse "Team" 
> "Update").

Original comment by THC...@gmail.com on 22 Apr 2015 at 10:53

GoogleCodeExporter commented 9 years ago
OK issue still persists, meaning, getting same exception:

org.zaproxy.clientapi.core.ClientApiException: Invalid or missing API key 
(bad_api_key)
    at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
    at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
    at org.zaproxy.clientapi.gen.Ascan.removeAllScans(Unknown Source)
    at net.continuumsecurity.proxy.ZAProxyScanner.clear(ZAProxyScanner.java:212)

I did attempt to debug/trace where exactly in code does it throw the exception 
(obviously here org.zaproxy.clientapi.core.ApiResponseFactory.getResponse) but 
when I add a debugger breakpoint in Ascan class I get this exception:

"Unable to install breakpoint in org.zaproxy.clientapi.gen.Ascan due to missing 
line number attributes.  Modify compiler options to generate line number 
attributes."

My compiler does have that option checked so I believe the zap-api.jar wasn't 
built with this option/capability.  I then checked out source and followed 
these instructions 
(http://www.taddong.com/docs/Building_ZAP_with_Eclipse_v3.0.pdf) so I can build 
my own jar with source but keep getting this error:

 Buildfile: C:\Users\206435745\workspace\zaproxy\build\build.xml
  [taskdef] Could not load definitions from resource net/sf/antcontrib/antlib.xml. It could not be found.
setup:

BUILD FAILED
C:\Users\206435745\workspace\zaproxy\build\build.xml:893: Problem: failed to 
create task or type if
Cause: The name is undefined.
Action: Check the spelling.
Action: Check that any custom tasks/types have been declared.
Action: Check that any <presetdef>/<macrodef> declarations have taken place.

It fails here in build.xml:

<taskdef resource="net/sf/antcontrib/antlib.xml" >
        <classpath>
            <pathelement location="${dist.lib.dir}/ant-contrib-1.0b3.jar"/>
        </classpath>
    </taskdef>

I didn't see that jar in ${dist.lib.dir} location so I downloaded it and put it 
there myself but same exception kept occurring.  The whole point of this is to 
try and give you guys as much helpful information but I'm stuck at the moment 
:-(.  Please provide any helpful information if not create a zap-api.jar in 
which folk can input breakpoints.  

NOTE:

Even though the above exception is thrown, somehow a session was established 
programmatically still as I see the requests issued via test class in ZAP UI.  
I never explicitly stated what URL to listen to in UI as it was done 
programmatically.  That said, it appears the API worked or this would not have 
happened I think.  Possibly the exception is a false/positive?

Original comment by majones...@gmail.com on 24 Apr 2015 at 9:59

GoogleCodeExporter commented 9 years ago
ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18