如何解决ZAP 主动扫描在桌面上工作,但在 docker 图像中失败并显示 url_not_in_context 错误
我能够使用 ZAP 桌面扫描我的 API,但在从 zap docker 图像进行主动扫描时失败并显示“url_not_in_context”错误。上下文定义从桌面导出并指定为 zap-api-scan.py 的参数。
我正在使用 zap2docker-stable 图像来扫描 API。为 httpsender 身份验证加载自定义脚本。
错误: 51660 [ZAP-ProxyThread-15] 警告 org.zaproxy.zap.extension.api.API - 来自 [127.0.0.1] 的 API 端点 [/JSON/ascan/action/scanAsUser/] 的错误请求: org.zaproxy.zap.extension.api.ApiException: url_not_in_context 在 org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:879) ~[zap-2.10.0.jar:2.10.0] 在 org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:370) ~[zap-2.10.0.jar:2.10.0] 在 org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-2.10.0.jar:2.10.0]
我已经实施了 ZAP SCAN: Jenkins Job failed (url_not_in_context)
中提到的建议Docker 命令:
docker run -v D:/dev/cloud/zap/scripts:/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -d -t customer-api-docs.json -f openapi -r /zap/wrk/testreport.html -n customer-service.context.xml -U bob@xyz.com --hook=load-script.py -z "-addoninstall jython"
上下文文件中的增量配置:
<incregexes>http://dev.xyz.com/customer.*</incregexes>
<excregexes>http://dev.xyz.com/customer/v3*</excregexes>
在 ZAP 桌面中进行相同的配置工作。
在执行开始时会打印以下日志,但随后会继续启动 zap、加载插件并最终失败。它是预期的还是指出某些问题?
Jun 11,2021 6:58:40 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
zap_started(<zapv2.ZAPv2 object at 0x7f3750bf13d0>,customer-api-docs.json)
load authentication script
load http sender script
2021-06-11 06:59:20,857 Number of Imported URLs: 9
Traceback (most recent call last):
File "/zap/zap-api-scan.py",line 484,in main
zap_active_scan(zap,target,scan_policy)
File "/zap/zap_common.py",line 104,in _wrap
return_data = func(*args_list,**kwargs)
File "/zap/zap_common.py",line 450,in zap_active_scan
raise_scan_not_started()
File "/zap/zap_common.py",line 399,in raise_scan_not_started
raise ScanNotStartedException('Failed to start the scan,check the log/output for more details.')
zap_common.ScanNotStartedException: Failed to start the scan,check the log/output for more details.
Found Java version 11.0.9.1
Available memory: 3917 MB
Using JVM args: -Xmx979m
2381 [main] INFO org.parosproxy.paros.Constant - copying default configuration to /home/zap/.ZAP/config.xml
我必须在扫描期间设置 apiKey 吗?如何确定docker实例的apiKey?
2021-06-11 10:33:20,894 http://localhost:46219 "GET http://zap/JSON/ascan/action/scanAsUser/?apikey=&url=http%3A%2F%2Fdev.xyz .com&contextId=1&userId=10&recurse=True&scanPolicyName=API-Minimal HTTP/1.1" 400 89
上下文文件:
<configuration>
<context>
<name>customer-service</name>
<desc/>
<inscope>true</inscope>
<incregexes>http://dev.xyz.com/customer.*</incregexes>
<excregexes>http://dev.xyz.com/customer/v3*</excregexes>
<tech>
<include>Db.IBM DB2</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.JavaScript</include>
<include>OS.Linux</include>
<include>WS.Tomcat</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.Hypersonicsql</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft sql Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.MysqL</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.Postgresql</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.sqlite</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.ASP</exclude>
<exclude>Language.C</exclude>
<exclude>Language.PHP</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>Language.XML</exclude>
<exclude>OS</exclude>
<exclude>OS.MacOS</exclude>
<exclude>OS.Windows</exclude>
<exclude>SCM</exclude>
<exclude>SCM.Git</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.Apache</exclude>
<exclude>WS.IIS</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","struct":[]}</config>
</postparser>
<authentication>
<type>4</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>HTTP\/1.1\s(200|404|400|500|403)</loggedin>
<loggedout>HTTP\/1.1\s401</loggedout>
<script>
<name>oidc_ropc_script</name>
<params>Y2xpZW50SWQ=:cnhub3Zh</params>
</script>
</authentication>
<users>
<user>10;true;Ym9iQHNzYy5jb20=;4;cGFzc3dvcmQ=:d2VsY29tZTE=&dXNlcm5hbWU=:Ym9iQHNzYy5jb20=</user>
</users>
<forceduser>10</forceduser>
<session>
<type>1</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
我错过了什么?
解决方法
终于发现问题了!!
zap-api-scan 规范化目标 URL 以移除上下文。所以 http://dev.xyz.com/customer 改为 http://dev.xyz.com。
因为这不是允许的 URL 的一部分,所以它总是失败。更改 incregex 以删除上下文路径 /customer 解决了该问题。
这与桌面模式不同。可能是一个错误。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。