Open wurstbrot opened 6 years ago
Hi Timo,
you LOG file indicates that your ZAP Spider returns no URLs, in this case the ZAP Scanner complains that its not able to scan...
2018-11-16 12:50:00.561 INFO 118 --- [pool-1-thread-4] i.s.zap.service.zap.ZapService : Recalling 0 requests to zap.
214949 [ZAP-ProxyThread-78] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/xml/ascan/action/scan/] from [127.0.0.1]: URL Not Found in the Scan Tree (url_not_found)
Have you tried to scan your service (http://10.10.11.104:3000/) local with ZAP first, to test your configuration you would like to automate? Maybe the ZAP_SPIDER_MAX_DEPTH
must be >= 1?
KR Robert
Hi Robert,
I tried it now with:
ZAP_SPIDER_MAX_DEPTH=2
ZAP_SPIDER_MAX_DEPTH
ZAP_SPIDER_MAX_DEPTH=1
according to documentation (https://github.com/secureCodeBox/secureCodeBox/blob/master/docs/user-guide/usage-examples/zap-bodgeit-example.md)In all cases, I get the same error. In engine I get: engine_1 | 2018-11-16 14:19:02.640 INFO 1 --- [nio-8080-exec-6] s.s.l.TransformFindingsToTargetsListener : Created Targets out of Findings: [Target{name='null', location='http://bodgeit:8080/bodgeit/js/util.js', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/js/util.js, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}, {name=b_id, value=2}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=b_id=2; JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=323, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/search.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/search.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=315, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/basket.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/basket.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=315, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/product.jsp?typeid=5', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/product.jsp?typeid=5, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}, {name=b_id, value=2}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=b_id=2; JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[{name=typeid, value=5}], postData={mimeType=, params=[], text=}, headersSize=333, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/home.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/home.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=313, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/.svn/entries', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/.svn/entries, httpVersion=HTTP/1.1, cookies=[], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Host, value=bodgeit:8080}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=225, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/style.css', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/style.css, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}, {name=b_id, value=2}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=b_id=2; JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=322, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/login.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/login.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=314, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/admin.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/admin.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}, {name=b_id, value=2}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=b_id=2; JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=322, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/contact.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/contact.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=316, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/.svn/wc.db', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/.svn/wc.db, httpVersion=HTTP/1.1, cookies=[], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Host, value=bodgeit:8080}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=223, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/product.jsp?prodid=2', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/product.jsp?prodid=2, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}, {name=b_id, value=2}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=b_id=2; JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[{name=prodid, value=2}], postData={mimeType=, params=[], text=}, headersSize=333, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/.git/index', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/.git/index, httpVersion=HTTP/1.1, cookies=[], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Host, value=bodgeit:8080}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=223, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/, httpVersion=HTTP/1.1, cookies=[], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Host, value=bodgeit:8080}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=213, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}, Target{name='null', location='http://bodgeit:8080/bodgeit/about.jsp', attributes={request={method=GET, url=http://bodgeit:8080/bodgeit/about.jsp, httpVersion=HTTP/1.1, cookies=[{name=JSESSIONID, value=6FD5717DB5D22B76C9A17F55BCBBD698}], headers=[{name=User-Agent, value=Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0}, {name=Pragma, value=no-cache}, {name=Cache-Control, value=no-cache}, {name=Content-Length, value=0}, {name=Referer, value=http://bodgeit:8080/bodgeit/}, {name=Host, value=bodgeit:8080}, {name=Cookie, value=JSESSIONID=6FD5717DB5D22B76C9A17F55BCBBD698}], queryString=[], postData={mimeType=, params=[], text=}, headersSize=314, bodySize=0}, ZAP_BASE_URL=http://bodgeit:8080/bodgeit/}}]
I updated the title, as it stays in scanner, saying the task spider is complete.
Cheers, Timo
I guess due to the error message, that the targetUrl is not in the siteTree and the source of the error is here: https://github.com/igorhvr/zaproxy/blob/master/src/org/zaproxy/zap/extension/ascan/ActiveScanAPI.java#L98
Hi Timo Can you please double check if your engine version really is from the current develop branch. The log from the engine looks to me as it is not. We have recently changed the format zap spider findings get transformed into and this appears to still be the old format.
First test: With the current development version and a local build it works. More tests tomorrow.
Using latest securecodebox/engine:develop and securecodebox/zap:develop (using docker-compose pull) results in an error on the engine.
Used versions: securecodebox/engine develop 0af6e826d7c8 2 days ago 172MB securecodebox/zap develop 019df2720f2d 9 days ago 559MB
Logs:
2018-11-22 07:49:31.948 ERROR 9 --- [nio-8080-exec-8] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL was not normalized.
at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:248) ~[spring-security-web-4.2.6.RELEASE.jar!/:4.2.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193) ~[spring-security-web-4.2.6.RELEASE.jar!/:4.2.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-4.2.6.RELEASE.jar!/:4.2.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) ~[spring-boot-actuator-1.5.13.RELEASE.jar!/:1.5.13.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_181]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181]
With the self build of the current master of github it works. By using develop branch of engine, it is not working. Maybe I am forced to use the new api (which is hard without documentation)?
The last problem doesn't has to be a problem with zap.
The engine shows that error continuously and zap does it's job.
The test happend with the images from this morning (engine+zap from develop):
$ docker images | grep securecodebox
securecodebox/engine develop 5191b1e2f556 20 hours ago 172MB
securecodebox/arachni develop c2c858d4fe64 20 hours ago 1.88GB
securecodebox/engine
Using latest securecodebox/engine:develop and securecodebox/zap:develop (using docker-compose pull) results in an error on the engine.
Used versions: securecodebox/engine develop 0af6e826d7c8 2 days ago 172MB securecodebox/zap develop 019df2720f2d 9 days ago 559MB
Logs:
2018-11-22 07:49:31.948 ERROR 9 --- [nio-8080-exec-8] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL was not normalized. at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:248) ~[spring-security-web-4.2.6.RELEASE.jar!/:4.2.6.RELEASE] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193) ~[spring-security-web-4.2.6.RELEASE.jar!/:4.2.6.RELEASE] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-4.2.6.RELEASE.jar!/:4.2.6.RELEASE] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) ~[spring-boot-actuator-1.5.13.RELEASE.jar!/:1.5.13.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.17.RELEASE.jar!/:4.3.17.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_181] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_181] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.31.jar!/:8.5.31] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181]
With the self build of the current master of github it works. By using develop branch of engine, it is not working. Maybe I am forced to use the new api (which is hard without documentation)?
Does this error crash the container?
Also the current develop state is already relatively well documented, the only thing missing is the generated markdown rest api documentation. But you can always access the dynamic swagger page of the engine. (located at /swagger-ui.html
).
Does this error crash the container?
no
I am using docker-compose.yml with a self build engine and zap. Both are current develop-branch without modifications. I scan the juice shop via swagger:
[ { "name": "ZAP Scan 10.10.11.104", "location": "http://10.10.11.104:3000/", "attributes": { "ZAP_BASE_URL": "http://10.10.11.104:3000/", "ZAP_SPIDER_MAX_DEPTH": 1 } } ]
I am not sure which warning/error in the following log is the cause for zap to stay Scanner after finishing "Run OWASP Zap Spider" in the engine.
I see the following in the zap-container-logs: