OWASP ZAP2.6 / ZAP-Baseline-Scanを実行
※ZAP-stable2.6では実行できないが、ZAP-stable2.7で修正され実行可能となっています。
構成
実施方法
ZAPにCLIでログイン後コマンドを実行する ※結果は下記に記載
実施コマンド
docker run --rm -t <image> zap-baseline.py -t <URL>
"zap-baseline.py" で使用可能なオプション一覧
stableとweeklyで若干使用できるオプションに差分がある
[root@sv01 ~]# docker run owasp/zap2docker-stable zap-baseline.py -h
2017-11-19 12:23:56,021 Invalid option h : option -h not recognized
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
For more details see https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
[root@sv01 ~]# docker run owasp/zap2docker-weekly zap-baseline.py -h
2017-11-19 12:24:05,359 Invalid option h : option -h not recognized
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-J report_json file to write the full ZAP JSON document
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-T max time in minutes to wait for ZAP to start and the passive scan to run
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
For more details see https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
[root@sv01 ~]#
実行結果
- weeklyとstableで実行差分が発生している
-zap2docker-weekly では実施可能
-zap2docker-stable では実施不可
となった原因がよくわからないが、以下の内容に近いのか?
- スパイダーの実施はデフォルト1分なので、全ファイルスキャンはできていないため、オプション設定" -m "の時間指定が必要かな。
- オプション設定" -T "の時間指定”5”とするエラーとなる。
[root@sv01 ~]# docker run owasp/zap2docker-weekly zap-baseline.py -T 5 -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Nov 20, 2017 2:32:48 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
2017-11-20 14:37:39,683 I/O error(5): Failed to connect to ZAP after 300 seconds
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 297, in main
wait_for_zap_start(zap, timeout * 60)
File "/zap/zap_common.py", line 203, in wait_for_zap_start
'Failed to connect to ZAP after {0} seconds'.format(timeout_in_secs))
IOError: [Errno 5] Failed to connect to ZAP after 300 seconds
Found Java version 1.8.0_151
Available memory: 1823 MB
Setting jvm heap size: -Xmx455m
~省略~
1.CLIでZAP IMAGE確認
[root@sv01 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
owasp/zap2docker-weekly latest 2db09f036e9e 6 days ago 1.55GB
owasp/zap2docker-stable latest 12c3b9347b07 7 months ago 1.33GB
[root@sv01 ~]#2.実行
2-1.zap2docker-stable →エラーで実行できず
[root@sv01 ~]# docker run owasp/zap2docker-stable zap-baseline.py -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Nov 19, 2017 11:13:20 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 617, in <module>
main(sys.argv[1:])
File "/zap/zap-baseline.py", line 580, in main
except IOError as (errno, strerror):
ValueError: need more than 1 value to unpack
[root@sv01 ~]#
~該当行あたり~
■580行目あたり
580 except IOError as (errno, strerror):
581 print("ERROR " + str(strerror))
582 logging.warning ('I/O error(' + str(errno) + '): ' + str(strerror))
583 dump_log_file(cid)
■617行目あたり
607 if fail_count > 0:
608 sys.exit(1)
609 elif warn_count > 0:
610 sys.exit(2)
611 elif pass_count > 0:
612 sys.exit(0)
613 else:
614 sys.exit(3)
615
616 if __name__ == "__main__":
617 main(sys.argv[1:])
618
2-2.zap2docker-weekly →実行可能
[root@sv01 ~]# docker run --rm -t owasp/zap2docker-weekly zap-baseline.py -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Nov 19, 2017 11:21:05 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'var': was expecting ('true', 'false' or 'null')
at [Source: /tmp/openapi3792210081021508801.defn; line: 1, column: 5]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1419)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:508)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3201)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2360)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:794)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:690)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3105)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3051)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:1861)
at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:147)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:74)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:65)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:93)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:68)
at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:54)
at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:397)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:259)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Total of 74 URLs
PASS: Cookie Without Secure Flag [10011]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: CSP Scanner [10055]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Passive Scanner [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Cookie No HttpOnly Flag [10010] x 12
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
WARN-NEW: Password Autocomplete in Browser [10012] x 3
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php
WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 19
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: X-Frame-Options Header Not Set [10020] x 13
http://192.168.20.161/
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
http://192.168.20.161/archives/date/2017/10
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 42
http://192.168.20.161/
http://192.168.20.161/robots.txt
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 17
http://192.168.20.161/
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/archives/1
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 6 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 21
[root@sv01 ~]#
■実行はできたものの、エラーが発生している。(抜粋)
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'var': was expecting ('true', 'false' or 'null')
at [Source: /tmp/openapi3792210081021508801.defn; line: 1, column: 5]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1419)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:508)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3201)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2360)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:794)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:690)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3105)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3051)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:1861)
at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:147)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:74)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:65)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:93)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:68)
at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:54)
at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:397)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:259)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
