search

zaproxy / zaproxy

The ZAP by Checkmarx Core project
https://www.zaproxy.org
Apache License 2.0
12.59k stars 2.25k forks source link

Scaning https site doesn't work #1686

Closed lyapun closed 8 years ago

lyapun commented 9 years ago

Hello!

I'm using zap docker image owasp/zap2docker-stable to execute scans. I'm running it with command:

zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.key=12345

It works good for http targets, but when I'm trying to execute scan under https - it doesn't finish.

Last thing which I can see in docker container log is:

29639 [ZAP-ProxyThread-16] WARN org.zaproxy.zap.extension.api.API  - handleApiRequest error: {"code":"bad_api_key","message":"Invalid or missing API key"}
Invalid or missing API key (bad_api_key)
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:282)
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:321)
    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:236)
    at java.lang.Thread.run(Thread.java:745)

Could you help me with this issue?

Thanks!

psiinon commented 9 years ago

The error is "Invalid or missing API key". The implication is one of your API calls is either missing the API key or is using an incorrect one. What API client are you using (Java/python/...)? Are you specifying the API key for all Actions and Others?

lyapun commented 9 years ago

@psiinon hello! Thank you for reply.

We execute test using python-owasp-zap-v2, and yes, I didn't mention this in python logs:

[2015-07-06 08:04:46,424: ERROR/Worker-2] 
Traceback (most recent call last):
  File ***, line 239, in make_zap_site_report
    zap.urlopen(target)
  File "/Users/tarasliapun/Work/venvs/websecurity/lib/python2.7/site-packages/zapv2/__init__.py", line 110, in urlopen
    return urllib.urlopen(*args, **kwargs).read()
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib.py", line 87, in urlopen
    return opener.open(url)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib.py", line 213, in open
    return getattr(self, name)(url)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib.py", line 443, in open_https
    h.endheaders(data)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
IOError: [Errno socket error] EOF occurred in violation of protocol (_ssl.c:581)
logancarmody commented 9 years ago

hello... we are using the unofficial ruby API... having this same issue, but only when running in daemon. Everything works as expected if running normally, but we get this error when running in daemon. Any further insight on this?

thc202 commented 9 years ago

@logancarmody are you referring to logged message "Invalid or missing API key"? How are you starting ZAP? If like described in the issue report (i.e. with "-config api.key=...") you need to pass the API key [1] when calling API actions, though ruby API doesn't seem to allow that :/

[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsApi#api-key

logancarmody commented 9 years ago

@thc202 thanks for your response! you're right... the ruby API doesn't support that. I've had to contribute to it a decent amount to get it working for our purposes... :/ Weirdly enough though, when not running in daemon mode, I don't specify the api key and our test runs fine... where I'm running into an issue is that I'm install Zap on one of our headless linux servers and want to run our scan from there. I can't configure the API key because I don't have a UI to interact with and it doesn't seem like there is any call I can make to get the key... Any insight on this issue?

logancarmody commented 9 years ago

also this might belong better in a different issue :smile:

thc202 commented 9 years ago

Are you using the same ZAP version in both cases (when running in daemon and with GUI)?

You can use command line options [1] to specify the API key:

-config api.key=ApiKey123

you can leave the value empty if you don't want to specify one. Although, if you are using latest weekly releases to disable it you need to use:

-config api.disablekey=true

[1] https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

logancarmody commented 9 years ago

@thc202 thanks for the advice... just got the chance to try it out with the command-line args on my server and still no dice... it's being started by running /dir/to/sh/file/zap.sh -daemon -config api.disablekey=true and I still get the missing API key error

thc202 commented 9 years ago

Strange, which ZAP version are you using? 2.4.1?

logancarmody commented 9 years ago

@thc202 yes... would a stack trace make this easier?

thc202 commented 9 years ago

Not sure, but it worth a try.

logancarmody commented 9 years ago

here is the class that I created in ruby to interact with the rubygem

def initialize(params)
   unless params[:stdout]
     file = Tempfile.new('zap_output')
     params[:output] = file
     Rails.logger.info "Zap Output in #{file.path}"
   end

 unless File.exist?(params[:zap].to_s) || File.exist?("#{ENV['HOME']}/ZAP_2.4.1/zap.sh")
   system "wget -P $HOME https://github.com/zaproxy/zaproxy/releases/download/2.4.1/ZAP_2.4.1_Linux.tar.gz && tar -C $HOME -zxvf $HOME/ZAP_2.4.1_Linux.tar.gz && rm -rf $HOME/ZAP_2.4.1_Core.tar.gz"
   params[:zap] = "#{ENV['HOME']}/ZAP_2.4.1/zap.sh"
 end
 @zap = Zap.new params
end

def start(params={})
  @zap.start params
  sleep 1 until self.running? unless params[:sync]
end

here is the ruby gem start method (that I edited)

    def start(params = {})
        cmd_line = if params.key? :daemon
            "#{@zap_bin} -daemon -config api.disablekey=true"
        elsif params.key? :api
            "#{@zap_bin} -config api.disablekey=true"
        else
            @zap_bin
        end
        fork do
           # if you passed :output=>"file.txt" to the constructor, then it will send the forked process output
           # to this file (that means, ZAP stdout)
           unless @output == $stdout
            STDOUT.reopen(File.open(@output, 'w+'))
            STDOUT.sync = true 
           end
           exec cmd_line
        end
    end

finally here is the stack trace when I run it

924 [main] INFO org.zaproxy.zap.ZAP - OWASP ZAP 2.4.1 started. 1768 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start 1788 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end 2513 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols... 2513 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine... 3489 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] 3506 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled. 4042 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions 6708 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded 9784 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Change user agent to other browsers. 9784 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Detect insecure or potentially malicious content in HTTP responses. 9784 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Detect and alert 'Set-cookie' attempt in HTTP response for modification. 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Avoid browser cache (strip off IfModifiedSince) 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log cookies sent by browser. 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log unique GET queries into file:filter/get.xls 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log unique POST queries into file: filter/post.xls 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Log request and response into file: filter/message.txt 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP request body using defined pattern. 9785 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP request header using defined pattern. 9786 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP response body using defined pattern. 9786 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Replace HTTP response header using defined pattern. 9786 [ZAP-daemon] INFO org.parosproxy.paros.extension.filter.FilterFactory - loaded filter Send ZAP session request ID Aug 04, 2015 5:05:33 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. 10403 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionViewOption 10422 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionEdit 10422 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionFilter 10422 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP 10820 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionState 10821 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHistory 10825 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields 10960 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions 10982 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Encode/Decode/Hash... 10982 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses 10983 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner 11124 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script passive scan rules 11125 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure 11125 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set 11126 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing 11126 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag 11128 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag 11128 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion 11128 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Web Browser XSS Protection Not Enabled 11129 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content 11142 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Password Autocomplete in Browser 11142 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure 11142 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite 11143 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing 11143 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header Not Set 11202 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts 11206 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added 11461 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal 11479 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote File Inclusion 11481 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Include 11483 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Reflected) 11493 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) 11493 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin SQL Injection 11502 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Code Injection 11510 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote OS Command Injection 11511 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Directory Browsing 11511 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin External Redirect 11511 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin CRLF Injection 11512 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Parameter Tampering 11513 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime 11514 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider 11517 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Script active scan rules 11522 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal 11523 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote File Inclusion 11523 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Include 11523 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Reflected) 11524 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) 11524 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin SQL Injection 11524 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Code Injection 11525 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote OS Command Injection 11528 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Directory Browsing 11529 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin External Redirect 11529 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin CRLF Injection 11529 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Parameter Tampering 11530 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime 11530 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider 11531 [ZAP-daemon] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Script active scan rules 11539 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site 11546 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks 11547 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool 11548 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionManualRequest 11548 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates 11550 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences 11550 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters 11552 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens 11557 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAuthentication 13206 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication] 13208 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser 13209 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only 13209 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionUserManagement 13211 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies 13212 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration 13231 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages 13232 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionForcedUser 13233 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions 13235 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language from Mozilla specifically designed to be used in security tools 13388 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff 13389 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionRequestPostTableView 13389 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Simple browser configuration 13389 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSessionManagement 13620 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, Http Authentication Session Management] 13625 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelRequestFormTableView 13626 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints. 13632 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies 13632 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionAuthorization 13632 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax 13635 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs 13636 [ZAP-daemon] WARN org.zaproxy.zap.extension.globalexcludeurl.ExtensionGlobalExcludeURL - GlobalExcludeURL.optionsLoaded() 13636 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree 13636 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus. 13636 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User guide 13636 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionReport 13636 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelComponentonentAll 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelHexView 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelImageView 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelLargeRequestView 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelLargeResponseView 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelRequestQueryCookieTableView 13637 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHttpPanelSyntaxHighlightTextView 13638 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Quick Start panel 13638 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations. 13640 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages. 13640 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules 13641 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Translations of the core language files 13641 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules 13641 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links 13642 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks 13642 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser. 13643 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide 13643 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage 13644 [Thread-4] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA 15315 [ZAP-ProxyThread-3] WARN org.zaproxy.zap.extension.api.API - handleApiRequest error: Invalid or missing API key Invalid or missing API key (bad_api_key) at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source) at java.lang.Thread.run(Thread.java:745) 15340 [ZAP-ProxyThread-4] WARN org.zaproxy.zap.extension.api.API - handleApiRequest error: Invalid or missing API key Invalid or missing API key (bad_api_key) at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source) at java.lang.Thread.run(Thread.java:745) rake aborted!

kingthorin commented 9 years ago

What was the commandline you used to call your gem? Did you pass an apikey? Did you pass a valid apikey? Or did you call it in one of the ways that's supposed to disable the apikey? (If so did you put in some debugging to ensure it did follow one of the disable paths?)

Based on your original report I'm going to guess that your apikey value of 12345 (per your original submission) isn't valid.

https://github.com/zaproxy/zaproxy/wiki/FAQapikey

logancarmody commented 9 years ago

@kingthorin if you look at the gem start method above... I passed in the parameters daemon: true, so that would fork the process and run /path/to/sh/zap.sh -daemon -config api.disablekey=true With the new release of 2.4.1, shouldn't this be enough and I shouldn't have to specify a key on my api calls?

thc202 commented 9 years ago

@logancarmody yes, that's correct, although it seems that the option -config api.disablekey=true is not being passed to ZAP. It logs/outputs something like the following when passed to ZAP:

932 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null

(it's logged/outputted before "Reading supported SSL/TLS protocols...")

Could you append -something to the command and see if it's passed to ZAP? It should log/output:

5952 [ZAP-daemon] ERROR org.zaproxy.zap.ZAP - Unsupported option '-something'.; java.lang.Exception: Unsupported option '-something'.; at org.parosproxy.paros.CommandLine.parse(Unknown Source) at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(Unknown Source) at org.zaproxy.zap.ZAP$2.run(Unknown Source) at java.lang.Thread.run(Thread.java:745)

logancarmody commented 9 years ago

@thc202 thanks for the suggestion; here's what I found:

it seems that the Invalid or missing API key (bad_api_key) error is coming from zap reading the command line arg -config api.disablekey=true, because when I ran zap.sh -daemon -config api.disablekey=true -something, I got the same output. But when I ran zap.sh -daemon -something -config api.disablekey=true... I got the output:

5952 [ZAP-daemon] ERROR org.zaproxy.zap.ZAP - Unsupported option '-something'.; java.lang.Exception: Unsupported option '-something'.; at org.parosproxy.paros.CommandLine.parse(Unknown Source) at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(Unknown Source) at org.zaproxy.zap.ZAP$2.run(Unknown Source) at java.lang.Thread.run(Thread.java:745)

And it stopped executing... which led me to believe the invalid API key message was an error on the cl args as well.

Unless this is very helpful, I might just start refactoring the gem so that it sends an API key with it's requests

thc202 commented 9 years ago

Yeah, something is wrong with cl args but not sure where.

You can manually disable the API key by adding the following to the config.xml (located in "home" directory) before </config>:

<api>
    <disablekey>true</disablekey>
</api>

(if the element disablekey is already present in the file you can just change the value to true)

logancarmody commented 9 years ago

Hello @thc202 Sorry about the late response... I added that to the config file... no dice... any further advice?

thc202 commented 9 years ago

Are you sure that you edited the correct config.xml file? (e.g. if you are running with Jenkins the directory might be in "/var/lib/jenkins/" instead) Was the element already present in the file or you added it?

kingthorin commented 8 years ago

Can this issue be closed?

lock[bot] commented 4 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.