Task Failed. Error: {"Success":false,"Message":"400 - \"{\\\"code\\\":\\\"illegal_parameter\\\",\\\"message\\\":\\\"Provided parameter has illegal or unrecognized value\\\"}\""}

[yk-kuang]

Hi

Thank you for creating the add-on in VSTS. Really appreciated. I have issue while running the add on. My OWASP ZAP is public with SSL: https://owaspzap.xxxx.com with port 8483.

I selected a VSTS 2017 Host to run the steps and got this error message. Could you please provide suggestion to fix this issue? thank you!

Below is the output from VSTS.

2018-09-04T22:08:06.7088720Z ##[debug]Evaluating condition for step: 'OWASP ZAP Scan' 2018-09-04T22:08:06.7089733Z ##[debug]Evaluating: succeeded() 2018-09-04T22:08:06.7089976Z ##[debug]Evaluating succeeded: 2018-09-04T22:08:06.7090297Z ##[debug]=> True 2018-09-04T22:08:06.7090632Z ##[debug]Result: True 2018-09-04T22:08:06.7090956Z ##[section]Starting: OWASP ZAP Scan 2018-09-04T22:08:06.7095939Z ============================================================================== 2018-09-04T22:08:06.7096098Z Task : OWASP Zed Attack Proxy Scan 2018-09-04T22:08:06.7096257Z Description : Visual Studio Team Services build/release task for running OWASP ZAP automated security tests 2018-09-04T22:08:06.7096389Z Version : 2.0.7 2018-09-04T22:08:06.7096490Z Author : Kasun Kodagoda 2018-09-04T22:08:06.7096631Z Help : More Information 2018-09-04T22:08:06.7096771Z ============================================================================== 2018-09-04T22:08:07.0251648Z ##[debug]agent.TempDirectory=D:\a_temp 2018-09-04T22:08:07.0279517Z ##[debug]loading inputs and endpoints 2018-09-04T22:08:07.0285671Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN 2018-09-04T22:08:07.0299379Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION 2018-09-04T22:08:07.0301735Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION 2018-09-04T22:08:07.0303774Z ##[debug]loading INPUT_ENABLEVERIFICATIONS 2018-09-04T22:08:07.0305905Z ##[debug]loading INPUT_EXECUTEACTIVESCAN 2018-09-04T22:08:07.0307110Z ##[debug]loading INPUT_EXECUTESPIDERSCAN 2018-09-04T22:08:07.0308924Z ##[debug]loading INPUT_INSCOPEONLY 2018-09-04T22:08:07.0310116Z ##[debug]loading INPUT_MAXHIGHRISKALERTS 2018-09-04T22:08:07.0312005Z ##[debug]loading INPUT_MAXLOWRISKALERTS 2018-09-04T22:08:07.0313155Z ##[debug]loading INPUT_MAXMEDIUMRISKALERTS 2018-09-04T22:08:07.0315015Z ##[debug]loading INPUT_RECURSE 2018-09-04T22:08:07.0316795Z ##[debug]loading INPUT_RECURSESPIDER 2018-09-04T22:08:07.0317954Z ##[debug]loading INPUT_REPORTFILEDESTINATION 2018-09-04T22:08:07.0319691Z ##[debug]loading INPUT_REPORTFILENAME 2018-09-04T22:08:07.0320797Z ##[debug]loading INPUT_REPORTTYPE 2018-09-04T22:08:07.0322518Z ##[debug]loading INPUT_SUBTREEONLY 2018-09-04T22:08:07.0323609Z ##[debug]loading INPUT_TARGETURL 2018-09-04T22:08:07.0325114Z ##[debug]loading INPUT_ZAPAPIKEY 2018-09-04T22:08:07.0327391Z ##[debug]loading INPUT_ZAPAPIURL 2018-09-04T22:08:07.0331823Z ##[debug]loaded 19 2018-09-04T22:08:07.0346565Z ##[debug]Agent.ProxyUrl=undefined 2018-09-04T22:08:07.0347778Z ##[debug]Agent.CAInfo=undefined 2018-09-04T22:08:07.0348193Z ##[debug]Agent.ClientCert=undefined 2018-09-04T22:08:07.0348513Z ##[debug]Agent.SkipCertValidation=undefined 2018-09-04T22:08:07.4751156Z ##[debug]check path : D:\a_tasks\OwaspZapScan_xxxxxxxxxxxxxxxxxxx\2.0.7\task.json 2018-09-04T22:08:07.4753245Z ##[debug]adding resource file: D:\a_tasks\OwaspZapScan_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\2.0.7\task.json 2018-09-04T22:08:07.4753548Z ##[debug]system.culture=en-US 2018-09-04T22:08:07.4789152Z ##[debug]ZapApiUrl=owaspzap.xxxxxxxx.com 2018-09-04T22:08:07.4791921Z ##[debug]ZapApiKey=xxxxxxxxxxxxxxxxxxxxxxxx 2018-09-04T22:08:07.4793620Z ##[debug]TargetUrl=target.xxxxxxxx.com 2018-09-04T22:08:07.4796825Z ##[debug]ExecuteSpiderScan=true 2018-09-04T22:08:07.4798359Z ##[debug]RecurseSpider=false 2018-09-04T22:08:07.4800045Z ##[debug]SubtreeOnly=false 2018-09-04T22:08:07.4801031Z ##[debug]MaxChildrenToCrawl=null 2018-09-04T22:08:07.4801411Z ##[debug]ContextName=null 2018-09-04T22:08:07.4802984Z ##[debug]ExecuteActiveScan=true 2018-09-04T22:08:07.4803499Z ##[debug]ContextId=null 2018-09-04T22:08:07.4805274Z ##[debug]Recurse=true 2018-09-04T22:08:07.4807898Z ##[debug]InScopeOnly=false 2018-09-04T22:08:07.4808185Z ##[debug]ScanPolicyName=null 2018-09-04T22:08:07.4808546Z ##[debug]Method=null 2018-09-04T22:08:07.4809021Z ##[debug]PostData=null 2018-09-04T22:08:07.4811026Z ##[debug]ReportType=html 2018-09-04T22:08:07.4813849Z ##[debug]ReportFileDestination=D:\a\1\s 2018-09-04T22:08:07.4816041Z ##[debug]ReportFileName=OWASP-ZAP-Report-1578 2018-09-04T22:08:07.4816608Z ##[debug]Build.Repository.Name=WebOwaspZapSecurityTesting 2018-09-04T22:08:07.4817794Z ##[debug]Build.DefinitionName=nightly-OWASPZAP 2018-09-04T22:08:07.4820206Z ##[debug]EnableVerifications=true 2018-09-04T22:08:07.4821580Z ##[debug]MaxHighRiskAlerts=0 2018-09-04T22:08:07.4824044Z ##[debug]MaxMediumRiskAlerts=2 2018-09-04T22:08:07.4826061Z ##[debug]MaxLowRiskAlerts=2 2018-09-04T22:08:07.4839235Z ##[debug]Spider Scan | Target URL: http://owaspzap.xxxxxxxx.com/JSON/spider/action/scan/ | Scan Options: {"apikey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","url":"target.xxxxxxxx.com","maxChildren":"","recurse":"false","subtreeOnly":"false","contextName":"","formMethod":"GET","zapapiformat":"JSON"} 2018-09-04T22:08:08.7435463Z ##[debug]task result: Failed 2018-09-04T22:08:08.7505502Z ##[error]Task Failed. Error: {"Success":false,"Message":"400 - \"{\\"code\\":\\"illegal_parameter\\",\\"message\\":\\"Provided parameter has illegal or unrecognized value\\"}\""} 2018-09-04T22:08:08.7518191Z ##[debug]Processed: ##vso[task.issue type=error;]Task Failed. Error: {"Success":false,"Message":"400 - \"{\\"code\\":\\"illegal_parameter\\",\\"message\\":\\"Provided parameter has illegal or unrecognized value\\"}\""} 2018-09-04T22:08:08.7534192Z ##[debug]Processed: ##vso[task.complete result=Failed;]Task Failed. Error: {"Success":false,"Message":"400 - \"{\\"code\\":\\"illegal_parameter\\",\\"message\\":\\"Provided parameter has illegal or unrecognized value\\"}\""} 2018-09-04T22:08:08.7545657Z ##[section]Finishing: OWASP ZAP Scan

[kasunkv]

@helloyzk Can you access the ZAP API from over HTTP as well? Coz at the moment the task does not support calling the ZAP API over HTTPS. It will be added in a future update. But it seems ZAP API cannot be accessed using HTTP. If you have HTTP disabled, pls re-enable it and see if it's working.

[yk-kuang]

@kasunkv Thank you so much for your reply. I changed the site to http only and I still get the same error message.

[shivakumarg06]

@helloyzk Am also facing the similar issues, I have running Zap on HTTP and able access from browser, but from VSTS its failed,

[ShoeQ]

Also getting this issue when calling Zap over just HTTP from Azure Dev Ops

[ShoeQ]

I'm guessing @kasunkv has no intention of looking into this matter.

[kasunkv]

@ShoeQ It's not that I have no intention of looking into this, but I simply could not find time to work on this due to being busy with work for the last few months. I am truly sorry for the delay about these issues, but please understand that I can only look into this when I have time. I will look at the issues this weekend and set up a pipeline to get the pending PRs merged and released ASAP. You should be able to get some update at the end of this week.

[thc202]

The TargetUrl needs to have the scheme.