Closed GoogleCodeExporter closed 9 years ago
[deleted comment]
Here are the other broken methods in net.continuumsecurity.proxy.ZAProxyScanner
class as the signatures in new org.zaproxy.clientapi.core.ClientAPI have
changed:
@Override
public void setScannerAttackStrength(String scannerId, String strength) throws ProxyException {
try {
clientApi.ascan.setScannerAttackStrength(apiKey,scannerId, strength,null); <------HERE
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException("Error occurred for setScannerAttackStrength", e);
}
}
@Override
public void setScannerAlertThreshold(String scannerId, String threshold) throws ProxyException {
try {
clientApi.ascan.setScannerAlertThreshold(apiKey, scannerId, threshold,null);<------HERE
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
@Override
public void disableAllScanners() throws ProxyException {
try {
ApiResponse response = clientApi.pscan.setEnabled(apiKey,"false");
response = clientApi.ascan.disableAllScanners(apiKey,null);<------HERE
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
@Override
public void enableAllScanners() throws ProxyException {
try {
clientApi.pscan.setEnabled(apiKey,"true");
clientApi.ascan.enableAllScanners(apiKey,null);<------HERE
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
public void scan(String url) throws ProxyException {
try {
clientApi.ascan.scan(apiKey,url, "true", "false",null,null,null);<------HERE
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
public int getScanProgress(int id) throws ProxyException {
try {
ApiResponseList response = (ApiResponseList)clientApi.ascan.scans();<------HERE
return new ScanResponse(response).getScanById(id).getProgress();
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
public void clear() throws ProxyException {
try {
clientApi.ascan.removeAllScans(null);<------HERE
clientApi.core.newSession(apiKey,"","");
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
@Override
public void spider(String url) {
try {
clientApi.spider.scan(apiKey,url,null);<------HERE
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
@Override
public int getLastScannerScanId() {
try {
ApiResponseList response = (ApiResponseList)clientApi.ascan.scans();<------HERE
return new ScanResponse(response).getLastScan().getId();
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
Original comment by majones...@gmail.com
on 21 Apr 2015 at 6:13
The proxy project pom dependency:
<<dependency>
<groupId>org.owasp</groupId>
<artifactId>zaproxy-client-api</artifactId>
<version>2.4.1</version>
<scope>system</scope>
<systemPath>${project.basedir}/lib/zap-api-2.4-v1.jar</systemPath>
</dependency>
is pointing to a jar that appears to be an older version but the name of .jar
is correct. Unless the real issue is things are not in synch?
Original comment by majones...@gmail.com
on 21 Apr 2015 at 6:16
It's working for me, that is, calling ZAProxyScanner.clear() does not throw any
exception.
Are you sure that there's no older ZAP API library in the classpath?
The class Ascan does have the method removeAllScans(String) [1] also double
checked with the actual class file contained in zap-api-2.4-v1.jar.
The same for the other methods.
[1]
https://code.google.com/p/zaproxy/source/browse/branches/2.4/src/org/zaproxy/cli
entapi/gen/Ascan.java#267
Original comment by THC...@gmail.com
on 21 Apr 2015 at 6:25
Ahhh you know what....I imported workspace from here:
http://sourceforge.net/projects/zaproxy/files/workspace/
and I just saw there is an older copy there, hence, what's throwing things off.
Removing workspace code from build path/project Testing with actual jar...keep
u posted shortly...Thanks btw for pointing out this..
Original comment by majones...@gmail.com
on 21 Apr 2015 at 7:31
OK...after removing outdated workspace (we need to update new workspace here
btw http://sourceforge.net/projects/zaproxy/files/workspace/) and ensured
project was using zap-api-2.4-v1.jar directly, I get teh below exception:
org.zaproxy.clientapi.core.ClientApiException: Invalid or missing API key
(bad_api_key)
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
at org.zaproxy.clientapi.gen.Ascan.removeAllScans(Unknown Source)
at net.continuumsecurity.proxy.ZAProxyScanner.clear(ZAProxyScanner.java:212)
at com.nbcuni.test.webdriver.ZAPScanner.connectToZAPProxy(ZAPScanner.java:379)
at com.nbcuni.test.webdriver.ZAPScanner.enableProxyScan(ZAPScanner.java:858)
at com.nbcuni.test.clovis.application.create.TC3167_CreateNewApplicationAndValidate.test(TC3167_CreateNewApplicationAndValidate.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:84)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:714)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:901)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1231)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Also, I started Zaproxy manually beforehand so the proxy was up and running at
the time locally. I also generated different api keys but no luck.
Another thing I noticed is I;m not able to access API UI which is supposed to
be accesible at http://api/ or http://api/UI/core/. I added host and port but
still was not able to access?
Original comment by majones...@gmail.com
on 21 Apr 2015 at 9:24
The above exception happens when calling clear()
Original comment by majones...@gmail.com
on 21 Apr 2015 at 9:25
Right, the workspace should be updated. I guess that will be done after the
migration from Google Code.
Ah, yeah, that's caused by an issue in zap-java-api.
There are some API calls that are missing the API key:
- In ZAProxyScanner.clear() when calling Ascan.removeAllScans(String);
- In ZAProxyScanner.deleteAlerts() when calling Core.deleteAllAlerts(String);
- In ZAProxyScanner.getXmlReport() when calling Core.xmlreport(String).
I think that's all.
To access the API UI you should use:
http://zap/UI
while proxying through ZAP or if you are not proxying, just access the
address/port that ZAP is listening at, for example:
http://localhost:8080/UI
Original comment by THC...@gmail.com
on 21 Apr 2015 at 10:05
Ahhh OK. After looking further, you are right as I see it was passing null
vs the apiKey. I added the the apiKey to:
public void clear() throws ProxyException {
try {
clientApi.ascan.removeAllScans(apiKey);
clientApi.core.newSession(apiKey,"","");
} catch (ClientApiException e) {
e.printStackTrace();
throw new ProxyException(e);
}
}
but still got the same exception. I also checked out the zap-api source
via svn but having dependency issues in which I'm trying to resolve. I'm
thinking the issue is my projects are mavenized and the source is not which
is causing me issues. I know the workspace zip worked but its outdated.
Any pointers on how to add source to mavenized project?
Thanks BTW for the response :-)
Original comment by majones...@gmail.com
on 22 Apr 2015 at 4:08
Have just committed a new version of java-zap-api with the null instances
replaced by apiKey.
Original comment by stephe...@gmail.com
on 22 Apr 2015 at 6:19
OK sweet! testing it out shortly after lunch...keep you posted...
Original comment by majones...@gmail.com
on 22 Apr 2015 at 7:09
Might be late but, regarding the source, have you tried updated the workspace?
You should be able to "svn update" the projects (or from within Eclipse "Team"
> "Update").
Original comment by THC...@gmail.com
on 22 Apr 2015 at 10:53
OK issue still persists, meaning, getting same exception:
org.zaproxy.clientapi.core.ClientApiException: Invalid or missing API key
(bad_api_key)
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
at org.zaproxy.clientapi.gen.Ascan.removeAllScans(Unknown Source)
at net.continuumsecurity.proxy.ZAProxyScanner.clear(ZAProxyScanner.java:212)
I did attempt to debug/trace where exactly in code does it throw the exception
(obviously here org.zaproxy.clientapi.core.ApiResponseFactory.getResponse) but
when I add a debugger breakpoint in Ascan class I get this exception:
"Unable to install breakpoint in org.zaproxy.clientapi.gen.Ascan due to missing
line number attributes. Modify compiler options to generate line number
attributes."
My compiler does have that option checked so I believe the zap-api.jar wasn't
built with this option/capability. I then checked out source and followed
these instructions
(http://www.taddong.com/docs/Building_ZAP_with_Eclipse_v3.0.pdf) so I can build
my own jar with source but keep getting this error:
Buildfile: C:\Users\206435745\workspace\zaproxy\build\build.xml
[taskdef] Could not load definitions from resource net/sf/antcontrib/antlib.xml. It could not be found.
setup:
BUILD FAILED
C:\Users\206435745\workspace\zaproxy\build\build.xml:893: Problem: failed to
create task or type if
Cause: The name is undefined.
Action: Check the spelling.
Action: Check that any custom tasks/types have been declared.
Action: Check that any <presetdef>/<macrodef> declarations have taken place.
It fails here in build.xml:
<taskdef resource="net/sf/antcontrib/antlib.xml" >
<classpath>
<pathelement location="${dist.lib.dir}/ant-contrib-1.0b3.jar"/>
</classpath>
</taskdef>
I didn't see that jar in ${dist.lib.dir} location so I downloaded it and put it
there myself but same exception kept occurring. The whole point of this is to
try and give you guys as much helpful information but I'm stuck at the moment
:-(. Please provide any helpful information if not create a zap-api.jar in
which folk can input breakpoints.
NOTE:
Even though the above exception is thrown, somehow a session was established
programmatically still as I see the requests issued via test class in ZAP UI.
I never explicitly stated what URL to listen to in UI as it was done
programmatically. That said, it appears the API worked or this would not have
happened I think. Possibly the exception is a false/positive?
Original comment by majones...@gmail.com
on 24 Apr 2015 at 9:59
ZAP has been migrated to github
This issue will be on github issues with the same ID:
https://github.com/zaproxy/zaproxy/issues
Original comment by psii...@gmail.com
on 5 Jun 2015 at 9:18
Original issue reported on code.google.com by
majones...@gmail.com
on 21 Apr 2015 at 3:52