时间戳

首页 > 解决方案 > 如何在 ZAP docker 中执行基于表单的身份验证,而不是无头扫描

docker - 如何在 ZAP docker 中执行基于表单的身份验证,而不是无头扫描

问题描述

我正在目标主机上运行 zap docker full scan。但是,在调试时,我发现我错过了向我的 Web 应用程序提供登录信息,该应用程序也是目标主机。步骤如下 -

  1. Web 应用程序在启动时不会登陆登录页面,而是登陆设置应用程序或安装详细信息等。一旦我们提供所有详细信息然后设置一些调查表,然后应用程序就会登陆登录页面。
  2. 最初,我在 jenkins 阶段运行 sh 'docker run -v /<Jenkins Path>/Reports:/zap/wrk/:rw -t docker.io/owasp/zap2docker-stable zap-full-scan.py -t https://<host>:<IP>/ -g gen.conf -r testreport.html' 在上面的命令 zap 用于扫描到 https://://login 并结束扫描。
  3. 然后,当我开始探索更多关于 ZAP 日志记录到 Web 应用程序并执行扫描时,我遇到https://github.com/ICTU/zap-baseline了 zap Docker 在稳定构建中没有其他基于表单的身份验证解决方案,当我点击命令时我也遇到了以下错误docker run --rm -v /<Path>/Reports:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://<host>:<port>-r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=https://<ip>:<port>/<page>/login auth.username="abc" auth.password="abc123" auth.username_field="j_username" auth.password_field="j_password" auth.submit_field="j_submit""'

错误

14593 [ZAP-daemon] INFO  org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate
16732 [ZAP-daemon] INFO  org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created
16737 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
java.lang.Exception: File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
   at org.parosproxy.paros.CommandLine.parse(CommandLine.java:304) ~[zap-D-2021-02-01.jar:D-2021-02-01]
   at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1049) ~[zap-D-2021-02-01.jar:D-2021-02-01]
   at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:85) [zap-D-2021-02-01.jar:D-2021-02-01]
   at java.lang.Thread.run(Thread.java:834) [?:?]
16751 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:54624
56762 [ZAP-ProxyThread-11] INFO  org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=false, tokenValues='']
56807 [ZAP-ProxyThread-13] INFO  org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=true, tokenValues='JSESSIONID=<sessionid>']
67128 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: ctx-zap-docker at Wed Feb 17 16:56:10 UTC 2021
67134 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.spider.Spider - Spider initializing...
67212 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.spider.Spider - Starting spider...
72093 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Absence of Anti-CSRF Tokens as it has raised more than 10 alerts.

有没有其他方法可以在 zap docker 中使用登录或基于表单的身份验证执行完整扫描,而不是无头扫描?另外关于第 1 点 - 我如何执行所有初始设置并登陆登录页面?或者我如何绕过初始设置并直接登陆登录页面,但是除非您设置初始设置页面,否则登录页面不会启用或无法跳转到 /login/

我也收到以下错误 -

660506 [Thread-10] INFO  org.parosproxy.paros.core.scanner.HostProcess - Scanning 541 node(s) from https://<ip>:<port>
660508 [Thread-10] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://<ip>:<port> | PathTraversalScanRule strength LOW threshold MEDIUM
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGBUS (0x7) at pc=0x00007fd5508d72b5, pid=9, tid=2998
#
# JRE version: OpenJDK Runtime Environment (11.0.9.1+1) (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04)
# Java VM: OpenJDK 64-Bit Server VM (11.0.9.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# v  ~StubRoutines::jlong_disjoint_arraycopy
#
# Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P %E" (or dumping to /zap/core.9)
#
# An error report file with more information is saved as:
# /zap/hs_err_pid9.log
Compiled method (c2) 1152543 17502   !   4       java.nio.DirectByteBuffer::put (151 bytes)
 total in heap  [0x00007fd558d4d710,0x00007fd558d4e020] = 2320
 relocation     [0x00007fd558d4d888,0x00007fd558d4d8b8] = 48
 main code      [0x00007fd558d4d8c0,0x00007fd558d4dbc0] = 768
 stub code      [0x00007fd558d4dbc0,0x00007fd558d4dbe8] = 40
 oops           [0x00007fd558d4dbe8,0x00007fd558d4dbf0] = 8
 metadata       [0x00007fd558d4dbf0,0x00007fd558d4dc60] = 112
 scopes data    [0x00007fd558d4dc60,0x00007fd558d4df08] = 680
 scopes pcs     [0x00007fd558d4df08,0x00007fd558d4dfe8] = 224
 dependencies   [0x00007fd558d4dfe8,0x00007fd558d4dff0] = 8
 handler table  [0x00007fd558d4dff0,0x00007fd558d4e008] = 24
 nul chk table  [0x00007fd558d4e008,0x00007fd558d4e020] = 24
Compiled method (c1) 1152543 15814       3       org.hsqldb.rowio.RowOutputBinaryEncode::writeData (93 bytes)
 total in heap  [0x00007fd552311990,0x00007fd552312ba8] = 4632
 relocation     [0x00007fd552311b08,0x00007fd552311bf0] = 232
 main code      [0x00007fd552311c00,0x00007fd5523127c0] = 3008
 stub code      [0x00007fd5523127c0,0x00007fd552312860] = 160
 oops           [0x00007fd552312860,0x00007fd552312868] = 8
 metadata       [0x00007fd552312868,0x00007fd5523128a8] = 64
 scopes data    [0x00007fd5523128a8,0x00007fd552312a18] = 368
 scopes pcs     [0x00007fd552312a18,0x00007fd552312b78] = 352
 dependencies   [0x00007fd552312b78,0x00007fd552312b80] = 8
 nul chk table  [0x00007fd552312b80,0x00007fd552312ba8] = 40
Could not load hsdis-amd64.so; library not loadable; PrintAssembly is disabled
#
# If you would like to submit a bug report, please visit:
#   https://bugs.launchpad.net/ubuntu/+source/openjdk-lts
#

标签: dockerowaspzap

解决方案

我总是建议人们使用 ZAP 桌面来设置和测试身份验证——没有 UI 很难做到这一点。一旦你让它在桌面上工作,你就可以导出设置并测试它们是否仍然在你的自动化环境中工作。我录制了一组关于 ZAP 自动化和身份验证的视频: https ://www.zaproxy.org/addo-auth-workshop/ ,现在正在录制更多视频作为 Deep Dive 系列的一部分:https://www.zaproxy .org/zap-deep-dive/

一步一步来——尝试一次做所有事情是没有意义的,因为它第一次工作的可能性很小,而且你在尝试修复问题时不知道从哪里开始。

推荐阅读