在 python 代码中出现错误以自动为应用程序执行 owsap zap [英] Getting error in python code for automate owsap zap for the application

问题描述

我正在尝试按照以下文章自动化 owasp zap 以扫描项目以识别安全漏洞:

如果我遗漏了什么，请告诉我

解决方案

http://google.com/将重定向到诸如 https://google.com/ 之类的内容，因此您需要改用它.>

顺便说一句，你真的有权限攻击 google.com 吗?

您使用的是哪个版本的 ZAP，您是如何启动它的?

从 ZAP 2.6.0 开始，默认情况下您将需要使用 API 密钥并且只能从本地主机连接.您链接到的页面上的脚本已更新为使用 API 密钥 (https://github.com/zaproxy/zaproxy/wiki/ApiPython)

如果您不想使用 API 密钥，或需要从远程计算机连接，请参阅此常见问题解答:https://github.com/zaproxy/zaproxy/wiki/FAQapikey

I am trying to automate owasp zap for scanning project to identify security vulnerability as per below article:

https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html

I am getting error in below line of code :-

zap.spider.scan(target)

Script source :-

https://github.com/zaproxy/zaproxy/wiki/ApiPython

Code I am using :-

#!/usr/bin/env python

import time
from pprint import pprint
from zapv2 import ZAPv2

# Here the target is defined and an instance of ZAP is created.
target = 'http://google.com/'
zap = ZAPv2()

# Use the line below if ZAP is not listening on 8090.
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'})

# ZAP starts accessing the target.
print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)

# The spider starts crawling the website for URLs
print 'Spidering target %s' % target
zap.spider.scan(target)

# Progress of spider
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
   print 'Spider progress %: ' + zap.spider.status

   time.sleep(400)

print 'Spider completed'

# Give the passive scanner a chance to finish
time.sleep(5)

# The active scanning starts
print 'Scanning target %s' % target
zap.ascan.scan(target)
while (int(zap.ascan.status) < 100):
   print 'Scan progress %: ' + zap.ascan.status

   time.sleep(600)

print 'Scan completed'

# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint(zap.core.alerts())

Error I am getting :-

root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing target http://google.com/ Spidering target http://google.com/ Traceback (most recent call last): File "website-scan.py", line 21, in zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File "build/bdist.linux-x86_64/egg/zapv2/init.py", line 158, in _request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/init.py", line 516, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in decode obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Please let me know If I am missing anything

解决方案

http://google.com/ will redirect to something like https://google.com/ so you'll need to use that instead.

BTW, do you actually have permission to attack google.com?

What version of ZAP are you using, and how are you starting it?

As of ZAP 2.6.0 by default you will need to use an API key and can only connect from localhost. The script on the page you linked to has been updated to use an API key (https://github.com/zaproxy/zaproxy/wiki/ApiPython)

If you dont want to use an API key, or need to connect from a remote machine then see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQapikey

这篇关于在 python 代码中出现错误以自动为应用程序执行 owsap zap的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！