OWASP ZAP - Access Site tree
I'm using OWASP ZAP API for spidering. I couldn't find the way to get site tree structure via ZAP API. I would like to know if there is anyway I can get Site tree of the URL (with its nodes) via ZAP API?
See also questions close to this topic
-
How to defend against stored XSS inside a JSP attribute value in a form
Question How to defend against stored XSS inside a JSP attribute value in a form?
The initial code is like
<form ..> <input value="<c:out value="${name}"/>" type="text" /> </form>
Using c:out :
<input value="<c:out value="${name}"/>" type="text" />
or esapi:encodeForHTMLAttribute?
<%@ taglib prefix="esapi" uri="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API" %> <input value="<esapi:encodeForHTMLAttribute>${name}</esapi:encodeForHTMLAttribute>" type="text" />
My first thought From what I read, the esapi encoding is the safest way. I don't think c:out is safe enough when we are writing the value of an attribute. Based on the Owasp cheat sheet to prevent xss escaping should be done different depending on the context where the value is used - attribute value in this case.
c:out
only escapes for HTML sensitive characters, so only these characters: & < > " ' /.An example of vulnerability: it is possible someone deletes by mistake the characters " or ' surrounding the attribute value. The page will still be valid HTML and working well. But if the value to be inserted in the attribute is something onclick=alert(1) then, because c:out will not escape anything, we will have the html
-
Maven dependency check fails with "Unable to connect to the database"
I use the following dependency to check the code for CVE.
<groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>1.4.0</version>
On my jenkins I randomly get the following exception and my build fails.
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to connect to the database at org.owasp.dependencycheck.data.nvdcve.ConnectionFactory.initialize (ConnectionFactory.java:161) at org.owasp.dependencycheck.Engine.initializeEngine (Engine.java:106) at org.owasp.dependencycheck.Engine.<init> (Engine.java:86) at org.owasp.dependencycheck.maven.Engine.<init> (Engine.java:66) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.initializeEngine (BaseDependencyCheckMojo.java:659) at org.owasp.dependencycheck.maven.CheckMojo.runCheck (CheckMojo.java:72) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:410) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) ...
This seems to occur only on a special executor (I use one maven repo per executor). What can this be?
-
Can someone share any standard or guidelines for Desktop Application security testing?
Can someone share any standard or guidelines for Desktop Application security testing?Something similar to OWASP, NIST etc.
-
OWASP/ZAP dangling when trying to scan
I am trying out OWASP/ZAP to see if it is something we can use for our project, but I cannot make it work I don't know what I am doing wrong and the documentation really does not help. What I am trying is to run a scan on my api running in a docker container locally on my windows machine so I run the command:
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t http://172.21.0.2:8080/swagger.json -g gen.conf -r testreport.html
the ip172.21.0.2
is the IPAddress of my api container even tried withlocalhost
and127.0.0.1
but it just hangs in the following log message:
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. Feb 14, 2019 1:43:31 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory.
Nothing happens and my zap docker container is in a unhealthy state, after some time it just crashes and ends up with a bunch of NullPointerExceptions. Is zap docker only working for linux, something specifically I need to do when running it on a windows machine? I don't get why this is not working even when I am following specifically the guideline in https://github.com/zaproxy/zaproxy/wiki/Docker
Edit 1 My latest try where I am trying to target my host ip address directly and the port that I am exposing my api to gives me the following error:
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. Feb 14, 2019 2:12:07 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Total of 3 URLs ERROR Permission denied 2019-02-14 14:12:57,116 I/O error(13): Permission denied Traceback (most recent call last): File "/zap/zap-baseline.py", line 347, in main with open(base_dir + generate, 'w') as f: IOError: [Errno 13] Permission denied: '/zap/wrk/gen.conf' Found Java version 1.8.0_151 Available memory: 3928 MB Setting jvm heap size: -Xmx982m 213 [main] INFO org.zaproxy.zap.DaemonBootstrap
-
OWASP ZAP docker returns 'Connection refused' when running active-scan
I'm trying to set up OWASP ZAP to run locally using the docker image provided.
docker run --name zap -u zap \ -p 8090:8090 -v "$(pwd)/reports":/zap/reports/:rw \ -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 \ -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true \ -config api.disablekey=true
If I try and run a quick-scan, it completes successfully
docker exec zap zap-cli --verbose quick-scan --self-contained --start-options '-config api.disablekey=true' http://www.itsecgames.com -l Medium
but I keep getting
Connection refused
every-time I try an active-scandocker exec zap zap-cli --verbose active-scan http://www.itsecgames.com
Any idea why this might be the case?
I get the same error when trying to generate reports:
docker exec zap zap-cli --verbose report -o /zap/reports/owasp-quick-scan-report.html --output-format html
EDIT: and the logs don't show any useful information:
9864 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | TestPersistentXSSAttack in 0.003s with 0 message(s) sent and 0 alert(s) raised. 9864 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | TestSQLInjection strength MEDIUM threshold MEDIUM 10350 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | TestSQLInjection in 0.486s with 22 message(s) sent and 0 alert(s) raised. 10350 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | CodeInjectionPlugin strength MEDIUM threshold MEDIUM 10522 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | CodeInjectionPlugin in 0.172s with 8 message(s) sent and 0 alert(s) raised. 10522 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | CommandInjectionPlugin strength MEDIUM threshold MEDIUM 11355 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | CommandInjectionPlugin in 0.833s with 32 message(s) sent and 0 alert(s) raised. 11355 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM 11389 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | TestDirectoryBrowsing in 0.034s with 1 message(s) sent and 0 alert(s) raised. 11389 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | TestExternalRedirect strength MEDIUM threshold MEDIUM 11579 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | TestExternalRedirect in 0.19s with 9 message(s) sent and 0 alert(s) raised. 11580 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | BufferOverflow strength MEDIUM threshold MEDIUM 11617 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | BufferOverflow in 0.037s with 1 message(s) sent and 0 alert(s) raised. 11617 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | FormatString strength MEDIUM threshold MEDIUM 11729 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | FormatString in 0.112s with 3 message(s) sent and 0 alert(s) raised. 11729 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | TestInjectionCRLF strength MEDIUM threshold MEDIUM 11911 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | TestInjectionCRLF in 0.182s with 7 message(s) sent and 0 alert(s) raised. 11912 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | TestParameterTamper strength MEDIUM threshold MEDIUM 12106 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://www.itsecgames.com | TestParameterTamper in 0.194s with 7 message(s) sent and 0 alert(s) raised. 12106 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://www.itsecgames.com | ScriptsActiveScanner strength MEDIUM threshold MEDIUM 12107 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [no scripts enabled] http://www.itsecgames.com | ScriptsActiveScanner in 0.001s with 0 message(s) sent and 0 alert(s) raised. 12107 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host http://www.itsecgames.com in 6.389s 12108 [Thread-8] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 6.402s 16868 [Thread-27] INFO org.parosproxy.paros.core.scanner.Scanner - scanner stopped 16887 [Thread-27] INFO hsqldb.db..ENGINE - dataFileCache commit start 16891 [Thread-27] INFO hsqldb.db..ENGINE - dataFileCache commit end 16895 [Thread-27] INFO hsqldb.db..ENGINE - Database closed 16996 [Thread-27] INFO org.zaproxy.zap.extension.api.CoreAPI - OWASP ZAP 2.7.0 terminated.
-
SOAP exception while using ZAP
I am using ZAP software for security testing on my system which has centos 7 configured. The issue is the software can not attack on the url and has error below -
19713 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing... 19740 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider... 43779 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down... 43780 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true 46259 [ZAP-QuickStart-AttackThread] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger - Exception in thread "ZAP-QuickStart-AttackThread" java.lang.NoClassDefFoundError: javax/xml/soap/SOAPException at java.base/java.lang.Class.getDeclaredConstructors0(Native Method) at java.base/java.lang.Class.privateGetDeclaredConstructors(Class.java:3138) at java.base/java.lang.Class.getConstructor0(Class.java:3343) at java.base/java.lang.Class.getConstructor(Class.java:2152) at org.zaproxy.zap.control.AddOnLoaderUtils.loadAndInstantiateClassImpl(AddOnLoaderUtils.java:111) at org.zaproxy.zap.control.AddOnLoaderUtils.loadDeclaredClasses(AddOnLoaderUtils.java:151) at org.zaproxy.zap.control.AddOnLoaderUtils.getActiveScanRules(AddOnLoaderUtils.java:177) at org.zaproxy.zap.control.AddOnLoader.getActiveScanRules(AddOnLoader.java:791) at org.parosproxy.paros.core.scanner.PluginFactory.initPlugins(PluginFactory.java:100) at org.parosproxy.paros.core.scanner.PluginFactory.getLoadedPlugins(PluginFactory.java:132) at org.parosproxy.paros.core.scanner.PluginFactory.loadAllPlugin(PluginFactory.java:398) at org.zaproxy.zap.extension.ascan.ScanPolicy.<init>(ScanPolicy.java:31) at org.zaproxy.zap.extension.ascan.PolicyManager.loadPolicy(PolicyManager.java:142) at org.zaproxy.zap.extension.ascan.PolicyManager.loadPolicy(PolicyManager.java:129) at org.zaproxy.zap.extension.ascan.PolicyManager.getDefaultScanPolicy(PolicyManager.java:205) at org.zaproxy.zap.extension.ascan.ActiveScanController.startScan(ActiveScanController.java:161) at org.zaproxy.zap.extension.ascan.ExtensionActiveScan.startScan(ExtensionActiveScan.java:273) at org.zaproxy.zap.extension.ascan.ExtensionActiveScan.startScan(ExtensionActiveScan.java:238) at org.zaproxy.zap.extension.ascan.ExtensionActiveScan.startScan(ExtensionActiveScan.java:234) at org.zaproxy.zap.extension.quickstart.AttackThread.run(AttackThread.java:143) Caused by: java.lang.ClassNotFoundException at org.zaproxy.zap.control.AddOnClassLoader.findClass(AddOnClassLoader.java:256) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 20 more