iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
563 stars 178 forks source link

Issues with BDD-Security #70

Open arcust opened 7 years ago

arcust commented 7 years ago

Hi,

I was running the bdd-security application against a web application, having a normal login and which is hosted in my local machine. I am running with the inbuilt zap coming along with the framework. Mine is a windows machine and so running the zap.bat file. I tried to run the app-scan and authentication features alone,

I faced the following issues,

1) in the config.xml, by default the zap.sh file is given and no comment was given to take the .bat file instead.

2) the zap attached , is of version 2.5.0 and the latest version is 2.6.0 because of which I think ,am getting a net.continuumsecurity.proxy.ProxyException Caused by: org.zaproxy.clientapi.core.ClientApiException Caused by: java.net.ConnectException

3) When I tried to manually put a 2.6.0 version jar file in the zap folder,(also edited the zap.bat) I ended up having a number of errors as the below,

55786 [ZAP-ProxyThread-1] WARN org.zaproxy.zap.extension.api.API - ApiException while handling API request: No Implementor (no_implementor) at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:321) at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:429) at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:290) at java.lang.Thread.run(Thread.java:745)

Please help me resolve in the right way.

stephendv1 commented 7 years ago

We have not tested BDD-Security on windows. You can certainly try to change zap.sh to zap.bat in config.xml and see if it works. The built in ZAP is version 2.5.0 and is the only supported version. We are currently doing work to migrate to 2.6.0 - but since this has a modified API, it is not a simple upgrade. The built in 2.5.0 should work as expected. When starting the framework, check in the output whether ZAP was able to start and listen on a port.