にわかエンジニア好きなことを書く備忘録

個人用の備忘録となるので、その点はご了承ください。 ※変な内容や間違いを書いているなどありましたらコメントやご指摘いただけると幸いです。出戻りのエンジニアのネットワークやインフラなどの備忘録と趣味での動作テスト結果

OWASP ZAP2.6(Docker Image) ZAP-Baseline-Scanが実行できず。

OWASP ZAP2.6 / ZAP-Baseline-Scanを実行

※ZAP-stable2.6では実行できないが、ZAP-stable2.7で修正され実行可能となっています。

 

 

構成

f:id:pocket01:20171119203820p:plain

実施方法

 ZAPにCLIでログイン後コマンドを実行する ※結果は下記に記載

実施コマンド

docker run --rm -t <image> zap-baseline.py -t <URL>

"zap-baseline.py" で使用可能なオプション一覧

stableとweeklyで若干使用できるオプションに差分がある

[root@sv01 ~]# docker run owasp/zap2docker-stable zap-baseline.py -h
2017-11-19 12:23:56,021 Invalid option h : option -h not recognized
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"

For more details see https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan

[root@sv01 ~]# docker run owasp/zap2docker-weekly zap-baseline.py -h
2017-11-19 12:24:05,359 Invalid option h : option -h not recognized
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-J report_json file to write the full ZAP JSON document
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-T max time in minutes to wait for ZAP to start and the passive scan to run
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"

For more details see https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
[root@sv01 ~]#

実行結果

  • weeklyとstableで実行差分が発生している

   -zap2docker-weekly では実施可能

   zap2docker-stable では実施不可

   となった原因がよくわからないが、以下の内容に近いのか?

ZAP baseline scan Docker randomly fails with `ValueError: need more than 1 value to unpack` · Issue #3763 · zaproxy/zaproxy · GitHub

 

  • スパイダーの実施はデフォルト1分なので、全ファイルスキャンはできていないため、オプション設定" -m "の時間指定が必要かな。
  • オプション設定" -T "の時間指定”5”とするエラーとなる。
[root@sv01 ~]# docker run owasp/zap2docker-weekly zap-baseline.py -T 5 -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Nov 20, 2017 2:32:48 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
2017-11-20 14:37:39,683 I/O error(5): Failed to connect to ZAP after 300 seconds
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 297, in main
wait_for_zap_start(zap, timeout * 60)
File "/zap/zap_common.py", line 203, in wait_for_zap_start
'Failed to connect to ZAP after {0} seconds'.format(timeout_in_secs))
IOError: [Errno 5] Failed to connect to ZAP after 300 seconds
Found Java version 1.8.0_151
Available memory: 1823 MB
Setting jvm heap size: -Xmx455m
~省略~

 

1.CLIでZAP IMAGE確認

[root@sv01 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
owasp/zap2docker-weekly latest 2db09f036e9e 6 days ago 1.55GB
owasp/zap2docker-stable latest 12c3b9347b07 7 months ago 1.33GB
[root@sv01 ~]#

2.実行 

2-1.zap2docker-stable  →エラーで実行できず

[root@sv01 ~]# docker run owasp/zap2docker-stable zap-baseline.py -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Nov 19, 2017 11:13:20 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 617, in <module>
main(sys.argv[1:])
File "/zap/zap-baseline.py", line 580, in main
except IOError as (errno, strerror):
ValueError: need more than 1 value to unpack
[root@sv01 ~]#

~該当行あたり~

■580行目あたり
 580 except IOError as (errno, strerror):
581 print("ERROR " + str(strerror))
582 logging.warning ('I/O error(' + str(errno) + '): ' + str(strerror))
583 dump_log_file(cid)

■617行目あたり
607 if fail_count > 0:
608 sys.exit(1)
609 elif warn_count > 0:
610 sys.exit(2)
611 elif pass_count > 0:
612 sys.exit(0)
613 else:
614 sys.exit(3)
615
616 if __name__ == "__main__":
617 main(sys.argv[1:])
618
2-2.zap2docker-weekly →実行可能
[root@sv01 ~]# docker run --rm -t owasp/zap2docker-weekly zap-baseline.py -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Nov 19, 2017 11:21:05 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'var': was expecting ('true', 'false' or 'null')
at [Source: /tmp/openapi3792210081021508801.defn; line: 1, column: 5]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1419)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:508)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3201)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2360)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:794)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:690)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3105)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3051)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:1861)
at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:147)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:74)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:65)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:93)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:68)
at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:54)
at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:397)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:259)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Total of 74 URLs
PASS: Cookie Without Secure Flag [10011]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: CSP Scanner [10055]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Passive Scanner [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Cookie No HttpOnly Flag [10010] x 12
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
WARN-NEW: Password Autocomplete in Browser [10012] x 3
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php
WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 19
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: X-Frame-Options Header Not Set [10020] x 13
http://192.168.20.161/
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
http://192.168.20.161/archives/date/2017/10
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 42
http://192.168.20.161/
http://192.168.20.161/robots.txt
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 17
http://192.168.20.161/
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/archives/1
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 6 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 21
[root@sv01 ~]#

 

■実行はできたものの、エラーが発生している。(抜粋)

com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'var': was expecting ('true', 'false' or 'null')
at [Source: /tmp/openapi3792210081021508801.defn; line: 1, column: 5]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1419)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:508)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3201)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2360)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:794)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:690)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3105)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3051)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:1861)
at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:147)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:74)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:65)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:93)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:68)
at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:54)
at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:397)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:259)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)