docker - 如何在 ZAP docker 中执行基于表单的身份验证,而不是无头扫描
问题描述
我正在目标主机上运行 zap docker full scan。但是,在调试时,我发现我错过了向我的 Web 应用程序提供登录信息,该应用程序也是目标主机。步骤如下 -
- Web 应用程序在启动时不会登陆登录页面,而是登陆设置应用程序或安装详细信息等。一旦我们提供所有详细信息然后设置一些调查表,然后应用程序就会登陆登录页面。
- 最初,我在 jenkins 阶段运行
sh 'docker run -v /<Jenkins Path>/Reports:/zap/wrk/:rw -t docker.io/owasp/zap2docker-stable zap-full-scan.py -t https://<host>:<IP>/ -g gen.conf -r testreport.html'
在上面的命令 zap 用于扫描到 https://://login 并结束扫描。 - 然后,当我开始探索更多关于 ZAP 日志记录到 Web 应用程序并执行扫描时,我遇到
https://github.com/ICTU/zap-baseline
了 zap Docker 在稳定构建中没有其他基于表单的身份验证解决方案,当我点击命令时我也遇到了以下错误docker run --rm -v /<Path>/Reports:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://<host>:<port>-r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=https://<ip>:<port>/<page>/login auth.username="abc" auth.password="abc123" auth.username_field="j_username" auth.password_field="j_password" auth.submit_field="j_submit""'
错误
14593 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate
16732 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created
16737 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
java.lang.Exception: File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:304) ~[zap-D-2021-02-01.jar:D-2021-02-01]
at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1049) ~[zap-D-2021-02-01.jar:D-2021-02-01]
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:85) [zap-D-2021-02-01.jar:D-2021-02-01]
at java.lang.Thread.run(Thread.java:834) [?:?]
16751 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:54624
56762 [ZAP-ProxyThread-11] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=false, tokenValues='']
56807 [ZAP-ProxyThread-13] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=true, tokenValues='JSESSIONID=<sessionid>']
67128 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: ctx-zap-docker at Wed Feb 17 16:56:10 UTC 2021
67134 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
67212 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
72093 [ZAP-PassiveScanner] INFO org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Absence of Anti-CSRF Tokens as it has raised more than 10 alerts.
有没有其他方法可以在 zap docker 中使用登录或基于表单的身份验证执行完整扫描,而不是无头扫描?另外关于第 1 点 - 我如何执行所有初始设置并登陆登录页面?或者我如何绕过初始设置并直接登陆登录页面,但是除非您设置初始设置页面,否则登录页面不会启用或无法跳转到 /login/
我也收到以下错误 -
660506 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - Scanning 541 node(s) from https://<ip>:<port>
660508 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://<ip>:<port> | PathTraversalScanRule strength LOW threshold MEDIUM
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGBUS (0x7) at pc=0x00007fd5508d72b5, pid=9, tid=2998
#
# JRE version: OpenJDK Runtime Environment (11.0.9.1+1) (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04)
# Java VM: OpenJDK 64-Bit Server VM (11.0.9.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# v ~StubRoutines::jlong_disjoint_arraycopy
#
# Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P %E" (or dumping to /zap/core.9)
#
# An error report file with more information is saved as:
# /zap/hs_err_pid9.log
Compiled method (c2) 1152543 17502 ! 4 java.nio.DirectByteBuffer::put (151 bytes)
total in heap [0x00007fd558d4d710,0x00007fd558d4e020] = 2320
relocation [0x00007fd558d4d888,0x00007fd558d4d8b8] = 48
main code [0x00007fd558d4d8c0,0x00007fd558d4dbc0] = 768
stub code [0x00007fd558d4dbc0,0x00007fd558d4dbe8] = 40
oops [0x00007fd558d4dbe8,0x00007fd558d4dbf0] = 8
metadata [0x00007fd558d4dbf0,0x00007fd558d4dc60] = 112
scopes data [0x00007fd558d4dc60,0x00007fd558d4df08] = 680
scopes pcs [0x00007fd558d4df08,0x00007fd558d4dfe8] = 224
dependencies [0x00007fd558d4dfe8,0x00007fd558d4dff0] = 8
handler table [0x00007fd558d4dff0,0x00007fd558d4e008] = 24
nul chk table [0x00007fd558d4e008,0x00007fd558d4e020] = 24
Compiled method (c1) 1152543 15814 3 org.hsqldb.rowio.RowOutputBinaryEncode::writeData (93 bytes)
total in heap [0x00007fd552311990,0x00007fd552312ba8] = 4632
relocation [0x00007fd552311b08,0x00007fd552311bf0] = 232
main code [0x00007fd552311c00,0x00007fd5523127c0] = 3008
stub code [0x00007fd5523127c0,0x00007fd552312860] = 160
oops [0x00007fd552312860,0x00007fd552312868] = 8
metadata [0x00007fd552312868,0x00007fd5523128a8] = 64
scopes data [0x00007fd5523128a8,0x00007fd552312a18] = 368
scopes pcs [0x00007fd552312a18,0x00007fd552312b78] = 352
dependencies [0x00007fd552312b78,0x00007fd552312b80] = 8
nul chk table [0x00007fd552312b80,0x00007fd552312ba8] = 40
Could not load hsdis-amd64.so; library not loadable; PrintAssembly is disabled
#
# If you would like to submit a bug report, please visit:
# https://bugs.launchpad.net/ubuntu/+source/openjdk-lts
#
解决方案
我总是建议人们使用 ZAP 桌面来设置和测试身份验证——没有 UI 很难做到这一点。一旦你让它在桌面上工作,你就可以导出设置并测试它们是否仍然在你的自动化环境中工作。我录制了一组关于 ZAP 自动化和身份验证的视频: https ://www.zaproxy.org/addo-auth-workshop/ ,现在正在录制更多视频作为 Deep Dive 系列的一部分:https://www.zaproxy .org/zap-deep-dive/
一步一步来——尝试一次做所有事情是没有意义的,因为它第一次工作的可能性很小,而且你在尝试修复问题时不知道从哪里开始。
推荐阅读
- c# - ASP .Net Core Queued 后台任务并行处理
- windows - 通过docker运行时无法在浏览器中查看streamlit应用程序
- rust - Rust 所有权:更好地理解移动/借用
- javascript - 使用自定义函数编辑 json 文件 | discord.js,nodejs
- python - 使用 Python 更新 DynamoDB 字段时出现无效的 UpdateExpression 错误
- php - Codeigniter 4 默认 .htaccess 文件查询
- angular - Facebook 分享按钮有效,但帖子消息显示错误
- wireshark - 如何使用 Wireshark 获取在线视频的比特率
- google-chrome - Chrome 网络开发工具未显示所有请求
- python - pandas dataframe 调用 apply 作为类变量:接受 1 个位置参数,但给出了 2 个