WebSocketAlertWrapper - Couldn't get the Handshake Http Message for this specific channel

[Dubniak]

I am trying to automate some scans for my website. While in the ZAP GUI, everything seems to run normally, when I try to do it via the ZAP API in python I face some problems. The latest of those, according to the zap.log is the

WebSocketAlertWrapper - Couldn't get the Handshake Http Message for this specific channel. Channel ID: 1

which is followed by [ZAP-WS-PassiveScanner] ERROR ExtensionAlert - Attempting to raise an alert without URI and/or HTTP message, Plugin ID: 110002 Alert Name:Base64 Disclosure in WebSocket message (script)

That's caused by the new feature provided by ZAP which passive scans WebSocket messages. That happens when the HTTP handshake message of a WebSocket connection was deleted in the meantime.

I try to perform spider and active scan through via zap api through Python and I get the above errors. My python script connects to ZAP, creates a new Session, uses Selenium (Chrome) to navigate and authenticate a user. After that I create a new context where I import some target URLs, set Manual Authentication, don't create any user and finally try to spider and the perform an active scan. All the above seem to work fine in the GUI but not through the API.

Expected behavior ZAP should be able to spider and scan the target API, as it does through the GUI.

Software versions

• ZAP: 2.8.0
• WebSockets v 20.0.0
• OS: Ubuntu 18.04.1
• Java: openjdk version "1.8.0_222"
• Browser: Chrome Selenium

zap.log attached zap.log

[kingthorin]

@psiinon @thc202 Could we craft some sort of placeholder HTTP Message to handle these cases? That'll leave it up to the end user to identify the WebSocket traffic/message where the issue was encountered but at least they'd still have the alert :shrug: