d-maldonado
commented
8 years ago Taxxi,
What version of ThreadFix/ZAP/Zap plugin are you currently using?
Daniel M
Closed taxxi closed 8 years ago
d-maldonado
commented
8 years ago Taxxi,
What version of ThreadFix/ZAP/Zap plugin are you currently using?
Daniel M
taxxi
commented
8 years ago Hi,
ZAP: 2.4.3 ThreadFix: 2.3.0 Zap-Plugin: threadfix-release-2.zap
regards
d-maldonado
commented
8 years ago Taxxi,
Did you download the plugin from the ThreadFix application or some other means? More info here.
I would double check to make sure your rest endpoint is correct. I believe it should be http://localhost:8080/threadfix/rest. A simple way to verify is to make a request with curl. More info here.
Daniel M
taxxi
commented
8 years ago Hi Daniel,
1) I downloaded the plugin from download-tools side. 2) I have already tried this possibility, however i get the same result: "Failed to ... key and url". Besides I think my API-key and my URL are probably not the problem. If I enter a REST-side, for example "http://localhost:8080/threadfix/rest/teams" added with my API-key "/?apiKey=XXX", i get the correct answer of all my created teams.
I really don't know currently, what I am doing wrong :-(...
But that it for today, i wish you a good weekend :) regards
dancornell
commented
8 years ago One thing that you might try is playing with the URL - try adding or removing a '/' or "rest" or "rest/" at the end. Sometimes we handle that poorly in the underlying libraries and that leads to dumb (on our part) errors.
d-maldonado
commented
8 years ago Taxxi,
Thanks for the additional information.
Can you double check the port that the ZAP local proxy is running on? By default I believe the proxy runs on 8080 (same default port as Tomcat). I suggest changing it to another port (8086). Let me know if that helps.
Have a great weekend.
Daniel M
taxxi
commented
8 years ago Hi,
One thing that you might try is playing with the URL - try adding or removing a '/' or "rest" or "rest/" at the end. Sometimes we handle that poorly in the underlying libraries and that leads to dumb (on our part) errors.
I tried now: http://localhost:8080/threadfix and http://localhost:8080/threadfix/ result: "Failed while trying to get a list of applications from ThreadFix." [1]
http://localhost:8080/threadfix/rest and http://localhost:8080/threadfix/rest/ result: I can choose my application from my correct list -> "Failed to retrieve endpoints from ThreadFix. Check your key and url." [2]
Can you double check the port that the ZAP local proxy is running on? By default I believe the proxy runs on 8080 (same default port as Tomcat). I suggest changing it to another port (8086). Let me know if that helps.
My ZAP uses already port 8081. It doesn't work anyway if both tools use the same port 8080 (result -> [1]). But i tried it with port 8086 too. The result is still the same (still [2]).
Well, I am not sure, whether you have understood my problem :). I still get one right answer from ThreadFix. After the first ZAP-dialog (where i have to fill in the URL and API Key) I get the correct application list with all of my applications of ThreadFix. I guess the connection is (at least a bit) working. The error message appears once I choose my application and press OK.
regards
d-maldonado
commented
8 years ago Taxxi,
Thank you for the additional information. How do you have the source configured for the application you are trying to get endpoints for?
Do you see any errors in the logs (threadfix.log)? More info regarding logging here.
Are there any system error messages?
Daniel Maldonado
taxxi
commented
8 years ago Hi Daniel,
Thank you for the additional information. How do you have the source configured for the application you are trying to get endpoints for?
I tried it for two websites: 1) one free testside, which i have no source code information ("Source Code Information" is empty) 2) my own juice shop (https://github.com/bkimminich/juice-shop); this webside is running in my docker-container and i have copied the source code into my git folder. The source code information are:
The Application Type is "DETECT" (in both cases) and i do not use a WAF or Defect Tracker either.
Do you see any errors in the logs (threadfix.log)? More info regarding logging here.
test website's log: _2016-06-03 11:21:29,115 [http-apr-8080-exec-10] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:140) - No HttpSession currently exists 2016-06-03 11:21:29,116 [http-apr-8080-exec-10] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:91) - No SecurityContext was available from the HttpSession: null. A new one will be created. 2016-06-03 11:21:29,117 [http-apr-8080-exec-10] INFO denimgroup.threadfix.webapp.controller.rest.PluginRestController (PluginRestController.java:96) - Received REST request for application CSV list 2016-06-03 11:21:29,118 [http-apr-8080-exec-10] DEBUG denimgroup.threadfix.webapp.controller.rest.TFRestController (TFRestController.java:78) - API key with ID: 3 authenticated successfully on path: /rest/code/applications for methodName: PLUGIN_APPLICATIONS 2016-06-03 11:21:29,122 [http-apr-8080-exec-10] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper (HttpSessionSecurityContextRepository.java:304) - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2016-06-03 11:21:31,406 [http-apr-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:140) - No HttpSession currently exists 2016-06-03 11:21:31,406 [http-apr-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:91) - No SecurityContext was available from the HttpSession: null. A new one will be created. 2016-06-03 11:21:31,408 [http-apr-8080-exec-1] INFO denimgroup.threadfix.webapp.controller.rest.PluginRestController (PluginRestController.java:121) - Received REST request for application CSV list 2016-06-03 11:21:31,409 [http-apr-8080-exec-1] DEBUG denimgroup.threadfix.webapp.controller.rest.TFRestController (TFRestController.java:78) - API key with ID: 3 authenticated successfully on path: /rest/code/applications/6/endpoints for methodName: PLUGINENDPOINTS 2016-06-03 11:21:31,411 [http-apr-8080-exec-1] INFO com.denimgroup.threadfix.service.repository.RepositoryServiceFactoryImpl (RepositoryServiceFactoryImpl.java:51) - Determining proper RepositoryService implementation for application testfire and new scan. 2016-06-03 11:21:31,412 [http-apr-8080-exec-1] DEBUG com.denimgroup.threadfix.DiskUtils (DiskUtils.java:55) - getScratchFile << tmp 2016-06-03 11:21:31,412 [http-apr-8080-exec-1] DEBUG com.denimgroup.threadfix.DiskUtils (DiskUtils.java:61) - Scratch folder is not configured, using relative path. 2016-06-03 11:21:31,412 [http-apr-8080-exec-1] DEBUG com.denimgroup.threadfix.DiskUtils (DiskUtils.java:88) - getScratchFile >> C:\toolsdir\tomcat\bin\tmp 2016-06-03 11:21:31,415 [http-apr-8080-exec-1] ERROR com.denimgroup.threadfix.webapp.controller.RestExceptionControllerAdvice (RestExceptionControllerAdvice.java:170) - Uncaught exception - logging at Jun 3, 2016 11:21:31 AM. 2016-06-03 11:21:31,429 [http-apr-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper (HttpSessionSecurityContextRepository.java:304) - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
juice shop's log: _2016-06-03 11:21:46,405 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:140) - No HttpSession currently exists 2016-06-03 11:21:46,405 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:91) - No SecurityContext was available from the HttpSession: null. A new one will be created. 2016-06-03 11:21:46,406 [http-apr-8080-exec-8] INFO denimgroup.threadfix.webapp.controller.rest.PluginRestController (PluginRestController.java:96) - Received REST request for application CSV list 2016-06-03 11:21:46,407 [http-apr-8080-exec-8] DEBUG denimgroup.threadfix.webapp.controller.rest.TFRestController (TFRestController.java:78) - API key with ID: 3 authenticated successfully on path: /rest/code/applications for methodName: PLUGIN_APPLICATIONS 2016-06-03 11:21:46,411 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper (HttpSessionSecurityContextRepository.java:304) - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2016-06-03 11:21:48,687 [http-apr-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:140) - No HttpSession currently exists 2016-06-03 11:21:48,687 [http-apr-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository (HttpSessionSecurityContextRepository.java:91) - No SecurityContext was available from the HttpSession: null. A new one will be created. 2016-06-03 11:21:48,689 [http-apr-8080-exec-3] INFO denimgroup.threadfix.webapp.controller.rest.PluginRestController (PluginRestController.java:121) - Received REST request for application CSV list 2016-06-03 11:21:48,690 [http-apr-8080-exec-3] DEBUG denimgroup.threadfix.webapp.controller.rest.TFRestController (TFRestController.java:78) - API key with ID: 3 authenticated successfully on path: /rest/code/applications/4/endpoints for methodName: PLUGINENDPOINTS 2016-06-03 11:21:48,693 [http-apr-8080-exec-3] INFO com.denimgroup.threadfix.service.repository.RepositoryServiceFactoryImpl (RepositoryServiceFactoryImpl.java:51) - Determining proper RepositoryService implementation for application JuiceShop and new scan. 2016-06-03 11:21:48,693 [http-apr-8080-exec-3] INFO com.denimgroup.threadfix.service.repository.RepositoryServiceFactoryImpl (RepositoryServiceFactoryImpl.java:62) - Source code is being stored in Git. Returning GitServiceImpl. 2016-06-03 11:21:48,694 [http-apr-8080-exec-3] DEBUG com.denimgroup.threadfix.DiskUtils (DiskUtils.java:55) - getScratchFile << scratch/4 2016-06-03 11:21:48,694 [http-apr-8080-exec-3] DEBUG com.denimgroup.threadfix.DiskUtils (DiskUtils.java:61) - Scratch folder is not configured, using relative path. 2016-06-03 11:21:48,694 [http-apr-8080-exec-3] DEBUG com.denimgroup.threadfix.DiskUtils (DiskUtils.java:88) - getScratchFile >> C:\toolsdir\tomcat\bin\scratch\4 2016-06-03 11:21:48,706 [http-apr-8080-exec-3] DEBUG org.owasp.esapi.reference.Log4JLogger (Log4JLogger.java:449) - [EVENT SUCCESS Anonymous:null@unknown -> /ExampleApplication/JavaEncryptor] Args valid for JavaEncryptor.decrypt(SecretKey,CipherText): CipherText: Creation time: Fri Jun 03 11:21:48 CEST 2016, raw ciphertext is present (32 bytes), MAC is absent; CipherSpec: AES/CBC/PKCS5Padding; keysize= 128 bits; blocksize= 16 bytes; IV length = 16 bytes. 2016-06-03 11:21:48,707 [http-apr-8080-exec-3] DEBUG org.owasp.esapi.reference.Log4JLogger (Log4JLogger.java:449) - [EVENT SUCCESS Anonymous:null@unknown -> /ExampleApplication/JavaEncryptor] Args valid for JavaEncryptor.decrypt(SecretKey,CipherText): CipherText: Creation time: Fri Jun 03 11:21:48 CEST 2016, raw ciphertext is present (16 bytes), MAC is absent; CipherSpec: AES/CBC/PKCS5Padding; keysize= 128 bits; blocksize= 16 bytes; IV length = 16 bytes. 2016-06-03 11:21:49,490 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.engine.framework.FrameworkCalculator (FrameworkCalculator.java:69) - Attempting to guess Framework Type from source tree. 2016-06-03 11:21:49,491 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.engine.framework.FrameworkCalculator (FrameworkCalculator.java:70) - File: C:\toolsdir\tomcat\bin\scratch\4 2016-06-03 11:21:49,518 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.impl.dotNet.DotNetFrameworkChecker (DotNetFrameworkChecker.java:50) - Got 0 .cs files from the directory. 2016-06-03 11:21:49,525 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.impl.dotNet.DotNetFrameworkChecker (DotNetFrameworkChecker.java:55) - Got 0 Controller files from the directory. 2016-06-03 11:21:49,532 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.impl.dotNetWebForm.WebFormsFrameworkChecker (WebFormsFrameworkChecker.java:50) - Got 0 .aspx files from the directory. 2016-06-03 11:21:49,540 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.impl.rails.RailsFrameworkChecker (RailsFrameworkChecker.java:68) - Got 0 *.rb files from the directory. 2016-06-03 11:21:49,540 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.impl.rails.RailsFrameworkChecker (RailsFrameworkChecker.java:69) - .../config/routes.rb was NOT found. 2016-06-03 11:21:49,541 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.engine.framework.FrameworkCalculator (FrameworkCalculator.java:87) - Source tree framework type detection returned: None 2016-06-03 11:21:49,541 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory (EndpointDatabaseFactory.java:107) - Creating database with root file = C:\toolsdir\tomcat\bin\scratch\4 and framework type = NONE and path cleaner = [PathCleaner dynamicRoot=null, staticRoot=null] 2016-06-03 11:21:49,541 [http-apr-8080-exec-3] INFO denimgroup.threadfix.framework.engine.full.EndpointDatabaseFactory (EndpointDatabaseFactory.java:133) - Returning database with generator: null 2016-06-03 11:21:49,542 [http-apr-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper (HttpSessionSecurityContextRepository.java:304) - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
Are there any system error messages?
Yes, there are some NullPointerExceptions: Commit: Diagnostics: 1 gigabytes memory available out of 4 gigabytes. 115 gigabytes disk space available. java.lang.NullPointerException
at com.denimgroup.threadfix.webapp.controller.rest.PluginRestController.getProjectConfig(PluginRestController.java:155)
at com.denimgroup.threadfix.webapp.controller.rest.PluginRestController.getEndpoints(PluginRestController.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:775)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:965)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:856)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:841)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:720)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:391)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318)
at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:231)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.denimgroup.threadfix.webapp.filter.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:273)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.denimgroup.threadfix.webapp.filter.ClickjackHeaderFilter.doFilter(ClickjackHeaderFilter.java:36)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at com.denimgroup.threadfix.webapp.filter.SessionTimeoutFilter.doFilter(SessionTimeoutFilter.java:129)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.denimgroup.threadfix.webapp.filter.EnterpriseFilter.doFilter(EnterpriseFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.denimgroup.threadfix.webapp.filter.CacheBustFilter.doFilter(CacheBustFilter.java:64)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2508)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2497)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)regards
d-maldonado
commented
8 years ago Taxxi,
I tried it for two websites: 1) one free testside, which i have no source code information ("Source Code Information" is empty)
If ThreadFix is unable to access a project's source code, it has no way of generating endpoints. This is what is causing the NPE that you are seeing on the System Error Messages page.
The error message should be more explicit and ThreadFix should obviously address the NPE correctly. I have created an internal ticket to have this addressed.
2) my own juice shop (https://github.com/bkimminich/juice-shop); this webside is running in my docker-container and i have copied the source code into my git folder.
This project is a Node/Express application. Currently the endpoint generator does not support that framework. You can find a list of all supported languages and frameworks here.
If you are looking for a test application I suggest using bodgeit, found here.
That being said, the error message should be more explicit if the framework is not supported and I have filed a separate internal ticket to have that addressed.
Let me know if you have any other questions or if you have trouble when using bodgeit. Daniel Maldonado
drequil
commented
8 years ago This is a great and very comprehensive support/bugfix reply. I’m not affected by the bug, but I just had to reply to say “keep up the good work!”
Andre Gott, Professional Services – North America E: andre.gott@checkmarx.commailto:andre.gott@checkmarx.com
From: Daniel Maldonado [mailto:notifications@github.com] Sent: Thursday, June 16, 2016 7:01 PM To: denimgroup/threadfix threadfix@noreply.github.com Subject: Re: [denimgroup/threadfix] ThreadFix + ZAP (#1761)
Taxxi,
I tried it for two websites: 1) one free testside, which i have no source code information ("Source Code Information" is empty)
If ThreadFix is unable to access a project's source code, it has no way of generating endpoints. This is what is causing the NPE that you are seeing on the System Error Messages page.
The error message should be more explicit and ThreadFix should obviously address the NPE correctly. I have created an internal ticket to have this addressed.
2) my own juice shop (https://github.com/bkimminich/juice-shop); this webside is running in my docker-container and i have copied the source code into my git folder.
This project is a Node/Express application. Currently the endpoint generator does not support that framework. You can find a list of all supported languages and frameworks herehttps://github.com/denimgroup/threadfix/wiki/Hybrid-Analysis-Mapping-Configuration#introduction.
If you are looking for a test application I suggest using bodgeit, found herehttps://github.com/psiinon/bodgeit.
That being said, the error message should be more explicit if the framework is not supported and I have filed a separate internal ticket to have that addressed.
Let me know if you have any other questions or if you have trouble when using bodgeit. Daniel Maldonado
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/denimgroup/threadfix/issues/1761#issuecomment-226647443, or mute the threadhttps://github.com/notifications/unsubscribe/AM_x7WtKlq4js5lm9tmmQtlaVzBqUpbIks5qMeOwgaJpZM4IlUj4.
Hello, I have a problem with connecting ThreadFix and ZAP.
At first, i followed the ZAP-plugin guide and installed the plugin in ZAP successfully.
But the following import does not work. As descripted in the guide, i chose "Tools->ThreadFix: Import Endpoints from ThreadFix" and filled in the API key + URL ("http://localhost:8080/threadfix/rest/"). After i pressed the button ZAP asked me for my application. But after this, ZAP showed a warning message: "Failed to retrieve endpoints from ThreadFix. Check your key and url."
What am i doing wrong???
However, i am not sure, whether the warning message is really true. According to this issue, i might have made a mistake by my application's configuration. But i cannot find a further application-configuration-guide, which can solve my problem. What should i consider???