備忘録/にわかエンジニアが好きなように書く

個人的にとりあえず仕組みを知るためにとりあえず動くまで構築や動作をみただけの単なる操作ログです。個人用の備忘録となり、最新の導入手順は個別に確認してください。 ※変な内容や間違いを書いているなどありましたらコメントやご指摘いただけると幸いです。

OWASP ZAP2.7(Docker Image) ZAP-Baseline-Scanを実行できた

OWASP ZAP2.7 / ZAP-Baseline-Scanを実行

以前のバージョンZAP2.6のdockerイメージでは実行できなかったZAP-Baseline-Scanを、

ZAP2.7がリリースされたので実施するとZAP2.7では実施できたから修正される。 

 

www.n-novice.com

 

 

構成

f:id:pocket01:20171119203820p:plain

実施方法

 ZAPにCLIでログイン後コマンドを実行する ※結果は下記に記載

実施コマンド

docker run --rm -t <image> zap-baseline.py -t <URL>

 

実施したZAPのバージョン確認

■weekly :OWASP ZAP D-2017-11-20

[root@sv01 ~]# docker run owasp/zap2docker-weekly zap.sh
Found Java version 1.8.0_151
Available memory: 1823 MB
Setting jvm heap size: -Xmx455m
310 [main] INFO org.zaproxy.zap.GuiBootstrap - OWASP ZAP D-2017-11-20 started 01/12/17 14:53:33 with home /home/zap/.ZAP_D/
ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
(Note, some of the ZAP features that require a display, for example, running AJAX Spider with Firefox, might still be run with the help of applications like Xvfb.)
396 [main] FATAL org.zaproxy.zap.GuiBootstrap - ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
(Note, some of the ZAP features that require a display, for example, running AJAX Spider with Firefox, might still be run with the help of applications like Xvfb.)
[root@sv01 ~]#

■stable :OWASP ZAP 2.7.0 started

[root@sv01 ~]# docker run owasp/zap2docker-stable zap.sh
Found Java version 1.8.0_151
Available memory: 1823 MB
Setting jvm heap size: -Xmx455m
564 [main] INFO org.zaproxy.zap.GuiBootstrap - OWASP ZAP 2.7.0 started 01/12/17 14:53:49 with home /home/zap/.ZAP/
ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
(Note, some of the ZAP features that require a display, for example, running AJAX Spider with Firefox, might still be run with the help of applications like Xvfb.)
678 [main] FATAL org.zaproxy.zap.GuiBootstrap - ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
(Note, some of the ZAP features that require a display, for example, running AJAX Spider with Firefox, might still be run with the help of applications like Xvfb.)
[root@sv01 ~]#

 

実施結果

■weekly :OWASP ZAP D-2017-11-20

⇒エラーは出ているが、一応結果は出力された

[root@sv01 ~]# docker run --rm -t owasp/zap2docker-weekly zap-baseline.py -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Dec 01, 2017 3:01:03 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'var': was expecting ('true', 'false' or 'null')
at [Source: /tmp/openapi4185160500040504623.defn; line: 1, column: 5]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1419)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:508)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3201)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2360)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:794)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:690)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3105)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3051)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:1861)
at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:147)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:74)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:65)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:93)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:68)
at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:54)
at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:397)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:259)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Total of 74 URLs
PASS: Cookie Without Secure Flag [10011]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: CSP Scanner [10055]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Passive Scanner [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Cookie No HttpOnly Flag [10010] x 12
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
WARN-NEW: Password Autocomplete in Browser [10012] x 3
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php
WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 19
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: X-Frame-Options Header Not Set [10020] x 13
http://192.168.20.161/
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
http://192.168.20.161/archives/date/2017/10
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 42
http://192.168.20.161/
http://192.168.20.161/robots.txt
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 17
http://192.168.20.161/
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/archives/1
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 6 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 21
[root@sv01 ~]#

 

■stable :OWASP ZAP 2.7.0 started

[root@sv01 ~]#docker run --rm -t owasp/zap2docker-stable zap-baseline.py -t http://192.168.20.161
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Dec 01, 2017 3:07:11 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Total of 74 URLs
PASS: Cookie Without Secure Flag [10011]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Cookie No HttpOnly Flag [10010] x 12
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
WARN-NEW: Password Autocomplete in Browser [10012] x 3
http://192.168.20.161/wp-login.php
http://192.168.20.161/wp-login.php?reauth=1&redirect_to=http%3A%2F%2F192.168.20.161%2Fwp-admin%2F
http://192.168.20.161/wp-login.php
WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 19
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: X-Frame-Options Header Not Set [10020] x 13
http://192.168.20.161/
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
http://192.168.20.161/archives/date/2017/10
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 42
http://192.168.20.161/
http://192.168.20.161/robots.txt
http://192.168.20.161
http://192.168.20.161/wp-admin/admin-ajax.php
http://192.168.20.161/archives/1
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 17
http://192.168.20.161/
http://192.168.20.161/
http://192.168.20.161/sitemap.xml
http://192.168.20.161
http://192.168.20.161/archives/1
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 6 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 19
[root@sv01 ~]#