Я пытаюсь использовать сценарий для сканирования цели и выполнения активного сканирования в качестве подтверждения концепции. Я работал над реализацией ниже, и я не могу заставить ее работать, я не уверен, почему она не будет работать? У меня запущен Zap2 Docker, и я могу получить к нему доступ через API, я также могу получить доступ через gui, сканирование цели с gui работает нормально, однако мой скрипт не будет работать над API, см. Ниже:
import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ApiResponseList;
import org.zaproxy.clientapi.core.ClientApi;
import java.util.List;
public class Spider {
private static String ZAP_ADDRESS;// = "ZAPContainerIp";
private static int ZAP_PORT;// = 8090;
// Change to match the API key set in ZAP, or use NULL if the API key is disabled
private static String ZAP_API_KEY;// = "change me";
// The URL of the application to be tested
private static String TARGET;// = "https://targetip.com";
private static boolean scanComplete;
public static void main(String[] args) {
ZAP_ADDRESS = args[0];
ZAP_PORT = Integer.parseInt(args[1]);
ZAP_API_KEY = args[2];
TARGET = args[3];
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// Start spidering
System.out.println("Spidering target : " + TARGET);
ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
String scanID;
int progress;
// The scan returns a scan id to support concurrent scanning
scanID = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(1000);
progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
System.out.println("Spider progress : " + progress + "%");
if (progress >= 100) {
scanComplete = true;
break;
}
}
System.out.println("Spider completed");
// If required post process the spider results
List<ApiResponse> spiderResults = ((ApiResponseList) api.spider.results(scanID)).getItems();
if (scanComplete) {
ActiveScan activeScan = new ActiveScan();
activeScan.attack(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY, TARGET);
}
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
Сканирование:
import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ClientApi;
import java.lang.annotation.Target;
import java.nio.charset.StandardCharsets;
public class ActiveScan {
private int zapPort;// = 8090;
private String zapApiKey;// = null;
private String zapAddress;// = "localhost";
private String target;// = "https://targetip.com";
public ActiveScan(int zapPort, String zapApiKey, String zapAddress, String target) {
this.zapPort = zapPort;
this.zapApiKey = zapApiKey;
this.zapAddress = zapAddress;
this.target = target;
}
public ActiveScan() {
}
public void attack(String zapAddress, int zapPort, String zapApiKey, String target){
ClientApi api = new ClientApi(zapAddress, zapPort, zapApiKey);
try {
System.out.println("Active Scanning target : " + target);
ApiResponse resp = api.ascan.scan(target, "True", "False", null, null, null);
String scanid;
int progress;
// Scan returns a scan id to support concurrent scanning
scanid = ((ApiResponseElement) resp).getValue();
// Poll status until it completes
while (true) {
Thread.sleep(5000);
progress =
Integer.parseInt(
((ApiResponseElement) api.ascan.status(scanid)).getValue());
System.out.println("Active Scan progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Active Scan complete");
// Print vulnerabilities found by the scanning
System.out.println("Alerts:");
System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
При запуске выдается ошибка:
java -jar WafTestSuite.jar "zapurl" "8090" "change-me-9203935709" "10.10.10.254:3000"; Spidering target : 10.10.8.254:3000
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:366)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.http://java:350)
at org.zaproxy.clientapi.gen.Spider.scan(Spider.http://java:242)
at Spider.main(Spider.java:28)
Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.http://www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.http://www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.http://java:399)
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.http://java:364)
Буду признателен за любую помощь, спасибо.