Exception on empty replacer list

J12934 commented 6 years ago

I started a Zap Process with an advanced scanner configuration but did not set any replacer rules. The scanner wrapper failed too start the scan, see exception.

479603 [ZAP-ProxyThread-172] WARN org.zaproxy.zap.extension.api.API  - Bad request to API endpoint [/xml/replacer/action/addRule/] from [127.0.0.1]:
Missing Parameter (missing_parameter) : replacement
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:423)
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:456)
    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:317)
    at java.lang.Thread.run(Thread.java:748)
2018-10-24 16:15:03.718 ERROR 112 --- [pool-1-thread-5] i.s.zap.jobs.definition.EngineWorkerJob  : Job execution error!
org.zaproxy.clientapi.core.ClientApiException: Missing Parameter
    at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:50) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
    at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:332) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
    at org.zaproxy.clientapi.gen.Replacer.addRule(Replacer.java:77) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
    at io.securecodebox.zap.service.zap.ZapService.addReplacerRule(ZapService.java:330) ~[classes!/:na]
    at io.securecodebox.zap.service.zap.ZapService.addReplacerRule(ZapService.java:321) ~[classes!/:na]
    at io.securecodebox.zap.service.zap.ZapService.resetDefaultRules(ZapService.java:98) ~[classes!/:na]
    at io.securecodebox.zap.service.zap.ZapService.startScannerAsUser(ZapService.java:258) ~[classes!/:na]
    at io.securecodebox.zap.jobs.definition.EngineWorkerJob.executeScanner(EngineWorkerJob.java:236) ~[classes!/:na]
    at io.securecodebox.zap.jobs.definition.EngineWorkerJob.performScannerTask(EngineWorkerJob.java:179) ~[classes!/:na]
    at io.securecodebox.zap.jobs.definition.EngineWorkerJob.execute(EngineWorkerJob.java:108) ~[classes!/:na]
    at de.otto.edison.jobs.service.JobService$1.execute(JobService.java:252) [edison-jobs-0.82.2.jar!/:na]
    at de.otto.edison.jobs.service.JobRunner.executeAndRetry(JobRunner.java:61) [edison-jobs-0.82.2.jar!/:na]
    at de.otto.edison.jobs.service.JobRunner.start(JobRunner.java:50) [edison-jobs-0.82.2.jar!/:na]
    at de.otto.edison.jobs.service.JobService.lambda$startAsync$7(JobService.java:216) [edison-jobs-0.82.2.jar!/:na]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_131]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_131]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) ~[na:1.8.0_131]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ~[na:1.8.0_131]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_131]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_131]
    at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_131]

J12934 commented 6 years ago

I think we might actually be missing the replacer plugin in our docker container.

rseedorff commented 6 years ago

Maybe we must install it via commandline in the dockerfile as we already do with the OpenAPI Plugin (see init.sh)

zap/zap.sh -Xmx3G -daemon -dir /home/zap/ -port 8090 -host 0.0.0.0 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -addoninstall soap -addoninstall openapi

J12934 commented 6 years ago

Appears to be installed... Zap logs all installed plugins on startup...

Installed add-ons: [[id=alertFilters, version=6.0.0], ... [id=replacer, version=4.0.0], ... [id=zest, version=26.0.0]]

rseedorff commented 6 years ago

You are right! I testest the ZAP bare docker image, but it already contains the replacer API:

docker run -it --rm -p 8090:8090 owasp/zap2docker-bare zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true -config 'api.addrs.addr.name=.*' -config api.addrs.addr.regex=true

The problem is not the missing API, it's already existing... The problem is that the replacer plugin API parameter "replacement" is mandatory (in the ZAP UI it's not). So if you try to start a process with an replacer configuration that contains a empty string as value for the replacement parameter, this will fail :(

A configuration that completes:

[{
"attributes":{
     "ZAP_BASE_URL": "http://bodgeit:8080/bodgeit",
     "ZAP_REPLACER_RULES":[{
              "matchType": "REQ_HEADER",
              "description": "Add a special Authentication Header",
              "matchString": "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
              "initiators": "",
              "matchRegex": "false", 
              "replacement": "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l", 
              "enabled": "true"}], 
       "ZAP_SPIDER_MAX_DEPTH": 2,
       "ZAP_SPIDER_INCLUDE_REGEX":[],
       "ZAP_SPIDER_EXCLUDE_REGEX":[],
       "ZAP_SCANNER_INCLUDE_REGEX":[],
       "ZAP_SCANNER_EXCLUDE_REGEX":[]
}]

A configuration that fails:

[{
"attributes":{
     "ZAP_BASE_URL": "http://bodgeit:8080/bodgeit",
     "ZAP_REPLACER_RULES":[{
              "matchType": "RESP_HEADER",
              "description": "Remove HSTS",
              "matchString": "Strict-Transport-Security",
              "initiators": "",
              "matchRegex": "false", 
              "replacement": "", 
              "enabled": "true"}], 
       "ZAP_SPIDER_MAX_DEPTH": 2,
       "ZAP_SPIDER_INCLUDE_REGEX":[],
       "ZAP_SPIDER_EXCLUDE_REGEX":[],
       "ZAP_SCANNER_INCLUDE_REGEX":[],
       "ZAP_SCANNER_EXCLUDE_REGEX":[]
}]

rseedorff commented 6 years ago

i created an ZAP issue regarding the mandatory replacement value: https://github.com/zaproxy/zaproxy/issues/5080

kingthorin commented 6 years ago

The fix for this issue was just released in v7 of the Replacer addon. I believe this issue can be closed.

secureCodeBox / scanner-webapplication-zap

Exception on empty replacer list #23