Related questions

OWASP ZAP - Access Site tree

2018-07-03 06:52 Mh07 imported from Stackoverflow

I'm using OWASP ZAP API for spidering. I couldn't find the way to get site tree structure via ZAP API. I would like to know if there is anyway I can get Site tree of the URL (with its nodes) via ZAP API?

See also questions close to this topic

  • How to defend against stored XSS inside a JSP attribute value in a form

    Question How to defend against stored XSS inside a JSP attribute value in a form?

    The initial code is like 

    <form ..>
    <input value="<c:out value="${name}"/>" type="text" />
</form>

    Using c:out :

    <input value="<c:out value="${name}"/>" type="text" />

    or esapi:encodeForHTMLAttribute?

    <%@ taglib prefix="esapi" uri="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API" %>
<input value="<esapi:encodeForHTMLAttribute>${name}</esapi:encodeForHTMLAttribute>" type="text" />

    My first thought From what I read, the esapi encoding is the safest way. I don't think c:out is safe enough when we are writing the value of an attribute. Based on the Owasp cheat sheet to prevent xss escaping should be done different depending on the context where the value is used - attribute value in this case. c:out only escapes for HTML sensitive characters, so only these characters: & < > " ' /.

    An example of vulnerability: it is possible someone deletes by mistake the characters " or ' surrounding the attribute value. The page will still be valid HTML and working well. But if the value to be inserted in the attribute is something onclick=alert(1) then, because c:out will not escape anything, we will have the html

  • Maven dependency check fails with "Unable to connect to the database"

    I use the following dependency to check the code for CVE.

    <groupId>org.owasp</groupId>                   
<artifactId>dependency-check-maven</artifactId>
<version>1.4.0</version>

    On my jenkins I randomly get the following exception and my build fails.

    Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to connect to the database
at org.owasp.dependencycheck.data.nvdcve.ConnectionFactory.initialize (ConnectionFactory.java:161)
at org.owasp.dependencycheck.Engine.initializeEngine (Engine.java:106)
at org.owasp.dependencycheck.Engine.<init> (Engine.java:86)
at org.owasp.dependencycheck.maven.Engine.<init> (Engine.java:66)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.initializeEngine (BaseDependencyCheckMojo.java:659)
at org.owasp.dependencycheck.maven.CheckMojo.runCheck (CheckMojo.java:72)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:410)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
...

    This seems to occur only on a special executor (I use one maven repo per executor). What can this be?

  • Can someone share any standard or guidelines for Desktop Application security testing?

    Can someone share any standard or guidelines for Desktop Application security testing?Something similar to OWASP, NIST etc.

  • OWASP/ZAP dangling when trying to scan

    I am trying out OWASP/ZAP to see if it is something we can use for our project, but I cannot make it work I don't know what I am doing wrong and the documentation really does not help. What I am trying is to run a scan on my api running in a docker container locally on my windows machine so I run the command: docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t http://172.21.0.2:8080/swagger.json -g gen.conf -r testreport.html the ip 172.21.0.2 is the IPAddress of my api container even tried with localhost and 127.0.0.1

    but it just hangs in the following log message:

    _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Feb 14, 2019 1:43:31 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.

    Nothing happens and my zap docker container is in a unhealthy state, after some time it just crashes and ends up with a bunch of NullPointerExceptions. Is zap docker only working for linux, something specifically I need to do when running it on a windows machine? I don't get why this is not working even when I am following specifically the guideline in https://github.com/zaproxy/zaproxy/wiki/Docker

    Edit 1 My latest try where I am trying to target my host ip address directly and the port that I am exposing my api to gives me the following error:

    _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Feb 14, 2019 2:12:07 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Total of 3 URLs
ERROR Permission denied
2019-02-14 14:12:57,116 I/O error(13): Permission denied
Traceback (most recent call last):
  File "/zap/zap-baseline.py", line 347, in main
    with open(base_dir + generate, 'w') as f:
IOError: [Errno 13] Permission denied: '/zap/wrk/gen.conf'
Found Java version 1.8.0_151
Available memory: 3928 MB
Setting jvm heap size: -Xmx982m
213 [main] INFO org.zaproxy.zap.DaemonBootstrap
  • OWASP ZAP docker returns 'Connection refused' when running active-scan

    I'm trying to set up OWASP ZAP to run locally using the docker image provided. 

    docker run --name zap -u zap \
-p 8090:8090 -v "$(pwd)/reports":/zap/reports/:rw \
-i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 \
-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true \
-config api.disablekey=true

    If I try and run a quick-scan, it completes successfully 

    docker exec zap zap-cli --verbose quick-scan --self-contained --start-options '-config api.disablekey=true' http://www.itsecgames.com -l Medium

    but I keep getting Connection refused every-time I try an active-scan

    docker exec zap zap-cli --verbose active-scan http://www.itsecgames.com

    Any idea why this might be the case?

    I get the same error when trying to generate reports:

    docker exec zap zap-cli --verbose report -o /zap/reports/owasp-quick-scan-report.html --output-format html

    EDIT: and the logs don't show any useful information:

    9864 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | TestPersistentXSSAttack in 0.003s with 0 message(s) sent and 0 alert(s) raised.
9864 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | TestSQLInjection strength MEDIUM threshold MEDIUM
10350 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | TestSQLInjection in 0.486s with 22 message(s) sent and 0 alert(s) raised.
10350 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | CodeInjectionPlugin strength MEDIUM threshold MEDIUM
10522 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | CodeInjectionPlugin in 0.172s with 8 message(s) sent and 0 alert(s) raised.
10522 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | CommandInjectionPlugin strength MEDIUM threshold MEDIUM
11355 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | CommandInjectionPlugin in 0.833s with 32 message(s) sent and 0 alert(s) raised.
11355 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
11389 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | TestDirectoryBrowsing in 0.034s with 1 message(s) sent and 0 alert(s) raised.
11389 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | TestExternalRedirect strength MEDIUM threshold MEDIUM
11579 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | TestExternalRedirect in 0.19s with 9 message(s) sent and 0 alert(s) raised.
11580 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | BufferOverflow strength MEDIUM threshold MEDIUM
11617 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | BufferOverflow in 0.037s with 1 message(s) sent and 0 alert(s) raised.
11617 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | FormatString strength MEDIUM threshold MEDIUM
11729 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | FormatString in 0.112s with 3 message(s) sent and 0 alert(s) raised.
11729 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | TestInjectionCRLF strength MEDIUM threshold MEDIUM
11911 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | TestInjectionCRLF in 0.182s with 7 message(s) sent and 0 alert(s) raised.
11912 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | TestParameterTamper strength MEDIUM threshold MEDIUM
12106 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin http://www.itsecgames.com | TestParameterTamper in 0.194s with 7 message(s) sent and 0 alert(s) raised.
12106 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host http://www.itsecgames.com | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
12107 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - skipped plugin [no scripts enabled] http://www.itsecgames.com | ScriptsActiveScanner in 0.001s with 0 message(s) sent and 0 alert(s) raised.
12107 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host http://www.itsecgames.com in 6.389s
12108 [Thread-8] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 6.402s
16868 [Thread-27] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner stopped
16887 [Thread-27] INFO hsqldb.db..ENGINE  - dataFileCache commit start
16891 [Thread-27] INFO hsqldb.db..ENGINE  - dataFileCache commit end
16895 [Thread-27] INFO hsqldb.db..ENGINE  - Database closed
16996 [Thread-27] INFO org.zaproxy.zap.extension.api.CoreAPI  - OWASP ZAP 2.7.0 terminated.
  • SOAP exception while using ZAP

    I am using ZAP software for security testing on my system which has centos 7 configured. The issue is the software can not attack on the url and has error below -

    19713 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...
19740 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
43779 [ZAP-SpiderThreadPool-0-thread-1] INFO 
org.zaproxy.zap.spider.Spider  - Spidering process is complete. 
Shutting down...
43780 [ZAP-SpiderShutdownThread-0] INFO 
org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning 
complete: true
46259 [ZAP-QuickStart-AttackThread] ERROR 
 org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in 
 thread "ZAP-QuickStart-AttackThread"
 java.lang.NoClassDefFoundError: javax/xml/soap/SOAPException
    at java.base/java.lang.Class.getDeclaredConstructors0(Native 
  Method)
    at java.base/java.lang.Class.privateGetDeclaredConstructors(Class.java:3138)
    at java.base/java.lang.Class.getConstructor0(Class.java:3343)
    at java.base/java.lang.Class.getConstructor(Class.java:2152)
    at org.zaproxy.zap.control.AddOnLoaderUtils.loadAndInstantiateClassImpl(AddOnLoaderUtils.java:111)
    at org.zaproxy.zap.control.AddOnLoaderUtils.loadDeclaredClasses(AddOnLoaderUtils.java:151)
    at org.zaproxy.zap.control.AddOnLoaderUtils.getActiveScanRules(AddOnLoaderUtils.java:177)
    at org.zaproxy.zap.control.AddOnLoader.getActiveScanRules(AddOnLoader.java:791)
    at org.parosproxy.paros.core.scanner.PluginFactory.initPlugins(PluginFactory.java:100)
    at org.parosproxy.paros.core.scanner.PluginFactory.getLoadedPlugins(PluginFactory.java:132)
    at org.parosproxy.paros.core.scanner.PluginFactory.loadAllPlugin(PluginFactory.java:398)
    at org.zaproxy.zap.extension.ascan.ScanPolicy.<init>(ScanPolicy.java:31)
    at org.zaproxy.zap.extension.ascan.PolicyManager.loadPolicy(PolicyManager.java:142)
    at org.zaproxy.zap.extension.ascan.PolicyManager.loadPolicy(PolicyManager.java:129)
    at org.zaproxy.zap.extension.ascan.PolicyManager.getDefaultScanPolicy(PolicyManager.java:205)
    at org.zaproxy.zap.extension.ascan.ActiveScanController.startScan(ActiveScanController.java:161)
    at org.zaproxy.zap.extension.ascan.ExtensionActiveScan.startScan(ExtensionActiveScan.java:273)
    at org.zaproxy.zap.extension.ascan.ExtensionActiveScan.startScan(ExtensionActiveScan.java:238)
    at org.zaproxy.zap.extension.ascan.ExtensionActiveScan.startScan(ExtensionActiveScan.java:234)
    at org.zaproxy.zap.extension.quickstart.AttackThread.run(AttackThread.java:143)
 Caused by: java.lang.ClassNotFoundException
    at org.zaproxy.zap.control.AddOnClassLoader.findClass(AddOnClassLoader.java:256)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
    ... 20 more