grunny / zap-cli Goto Github PK

I was able to import a context successfully, but context list shows as empty

zap-cli context import bodgeIt-Context.context
[INFO] Imported context from bodgeIt-Context.context

zap-cli context list
[INFO] Available contexts: []

At first spider the target: zap.spider.scan(target)
and then scan zap.ascan.scan(target)
and after that, when i use zap.core.alerts() to get all results, I got a problem, some times it return 'Internal Error', and some times just can't get the result, looks like stucked.

Hello,

I've encountered the error "Operation not allowed for current mode" when I attempted to spider the url of a localhost application.

I've followed the steps presented in the readme file:

1. pip install --upgrade zapcli
2. zap-cli start
   [INFO] Starting ZAP daemon
3. zap-cli open-url https://local-url-here
   [INFO] Accessing URL https://local-url-here
4. zap-cli spider https://local-url-here
   [INFO] Running spider...
   [ERROR] Error running spider: "Operation not allowed for current mode"

The environment variables have been set for API_KEY, PATH and PORT.
As it can be seen above, while zap can start and open the url as it is recommended in the readme file, when attempting to spider a target(or when using other actions such as active scans) the zap-cli returns the error mentioned above.

Are there any extra steps required before an attempt to spider a given url can be made?

Hi I am looking out for some help with the zap-cli where I need to just add a url into site tree and donot perform any scan and exit by saving the session. I want this because I want to automate scanning for different urls via Jenkins and for that I need zap session for every url. Please I need way via zapcli to just add url to site tree and not scan it and exit by saving.

Thank You...

Hi,

Is there an option to use the ajax-spider with zap-cli? For example with zap2docker (like described here https://gist.github.com/Grunny/6ea8d48d711c6ad28064 )

Thank you.

Hello,

In attempting to run zap-cli from Ubuntu, I am receiving connection errors according to the following:

zap-cli quick-scan --self-contained --spider -r -s xss http://127.0.0.1
[INFO] Starting ZAP daemon
[WARNING] ZAP is already running on port 8090
[INFO] Running a quick scan for http://127.0.0.1
Traceback (most recent call last):
File "/home/osboxes/.local/bin/zap-cli", line 11, in
sys.exit(cli())
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 664, in call
return self.main(*args, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/zapcli/cli.py", line 281, in quick_scan
zap_helper.set_enabled_scanners(options['scanners'])
File "/home/osboxes/.local/lib/python2.7/site-packages/zapcli/zap_helper.py", line 295, in set_enabled_scanners
self.zap.ascan.disable_all_scanners(apikey=self.api_key)
File "/home/osboxes/.local/lib/python2.7/site-packages/zapv2/ascan.py", line 275, in disable_all_scanners
return next(self.zap._request(self.zap.base + 'ascan/action/disableAllScanners/', params).itervalues())
File "/home/osboxes/.local/lib/python2.7/site-packages/zapv2/init.py", line 155, in _request
return self._request_api(url, get).json()
File "/home/osboxes/.local/lib/python2.7/site-packages/zapv2/init.py", line 145, in _request_api
return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/adapters.py", line 473, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

In researching this issue, it appears to be a problem with Python, specifically with python 2.7. I have tried using the recommended solution of Python3. This has not worked.

Has anyone else experienced this issue and are there any steps to try to troubleshoot so that I may use the zap-cli tool properly?

Thanks.

When i try to run zap scan and generate html report using zap2docker-weekly/zap2docker-live image i get below python error, works fine on zap2docker-stable image though.

UnicodeEncodeError: 'ascii' codec can't encode character u'\u06f1'

I tried setting the -e LANG=C.UTF-8 on docker run command, still no luck..

Steps to reproduce

Pre-req(on a windows 10 machine)

1. docker run -u zap -p 2375:2375 -d --name zapTest owasp/zap2docker-live zap.sh -daemon -port 2375 -host 127.0.0.1 -config api.disablekey=true -config scanner.attackOnStart=true -config view.mode=attack
2. docker exec zapTest zap-cli -p 2375 open-url
3. docker exec zapTest zap-cli -p 2375 spider
4. docker exec zapTest zap-cli -p 2375 report --output html-test-report.html --output-format html
5. get below error
   Traceback (most recent call last):
   File "/usr/local/bin/zap-cli", line 11, in
   sys.exit(cli())
   File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in call
   return self.main(*args, **kwargs)
   File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
   rv = self.invoke(ctx)
   File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
   return _process_result(sub_ctx.command.invoke(sub_ctx))
   File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
   return ctx.invoke(self.callback, **ctx.params)
   File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
   return callback(*args, **kwargs)
   File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
   return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
   File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
   return callback(*args, **kwargs)
   File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 248, in report
   zap_helper.html_report(output)
   File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 392, in html_report
   self._write_report(report, file_path)
   File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 398, in _write_report
   f.write(report)
   UnicodeEncodeError: 'ascii' codec can't encode character u'\u06f1' in position 49802: ordinal not in range(128)

any thoughts?

I am scanning a SPA written in angular JS. In the desktop version of zap i can run ajax-crawler, it finds a lot of pages as expected. I am not able to see which pages ajax-crawler finds, when i run using zap-cli.
Is there a way to configure browser? Or get the crawler to log more?

First thanks for this code - makes everything far simpler.

Having two issues however:

1. -sc is hitting a timeout error waiting for the daemon to launch, this could just be a limitation of the under powered machine its running on
2. I am unable to have a full attack run. Is this a limitation of Zap-Cli or the API?
   The active-scan just seems to run the zaproxy quick start scan, but not the full attack scan which is where I would find most High risk issues.

Am I missing something here?

Again awesome piece of work here.

As in title, when "zap-cli policies list" is run you can see that it accesses the strength of the policies, is it possible to change them at the moment through zap-cli?

Editing "Default Policy.policy" gets the desired results at the moment but it would be useful to either specify the strength through zap-cli policies enable -p "x"-s "y " or zap-cli policies "-import".

I have a difficulty installing and running zap-cli.
After several install attempts, I finally installed zap-cli via sudo, and the ZAP daemon ran successfully. My results are shown below.

$ sudo pip install --upgrade zapcli
....
$ sudo zap-cli --zap-path /usr/local/bin --api-key 1234567890 start
[INFO]            Starting ZAP daemon
$ sudo zap-cli --zap-path /usr/local/bin --api-key 1234567890 status
[INFO]            ZAP is running

However, if I try quick-scan with zap-cli, an error occurs.
What did I do wrong? I need your help, plz.

$ sudo zap-cli --zap-path /usr/local/bin --api-key 1234567890 quick-scan -s xss,sqli --spider -r -e "hacker" http://192.168.0.191
[INFO]            Running a quick scan for http://192.168.0.191
Traceback (most recent call last):
  File "/usr/local/bin/zap-cli", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 225, in quick_scan
    zap_helper.set_enabled_scanners(options['scanners'])
  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 314, in set_enabled_scanners
    self.zap.ascan.disable_all_scanners()
  File "/usr/local/lib/python2.7/dist-packages/zapv2/ascan.py", line 284, in disable_all_scanners
    return six.next(six.itervalues(self.zap._request(self.zap.base + 'ascan/action/disableAllScanners/', params)))
  File "/usr/local/lib/python2.7/dist-packages/zapv2/__init__.py", line 159, in _request
    data = self._request_api(url, get)
  File "/usr/local/lib/python2.7/dist-packages/zapv2/__init__.py", line 149, in _request_api
    return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 546, in get
    return self.request('GET', url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 498, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

I'm using docker image to run the zap-cli scan and i'm behind a corporate proxy. Via ZAP GUI i'm setting the proxy from Tools->Options->Connections->Use an outgoing proxy

I'm able to do it successfully via the API too. But when I run the below command,
docker run -u zap -p 8080 -d owasp/zap2docker-weekly zap.sh -daemon -host 127.0.0.1 -config view.OptionsUseProxyChain=true -config view.setOptionProxyChainName=10.158.100.6 -config view.setOptionProxyChainPort=8080 -config api.disablekey=true -config scanner.attackOnStart=true -config view.mode=attack -config connection.dnsTtlSuccessfulQueries=-1 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

I get the error Java Unknown Host Exception.

When I go inside the docker bash and try a curl command, it fails.

Please help.

I am trying to run the OWSAP zap as part of the Jenkins pipeline. For this I have a sh script and a saved session.

Owasp zap runs inside a docker container. I have a saved session which is mounted on a folder (/onp) inside the docker container.

Steps in the script:

CONTAINER_ID=$(docker run -v /home/jenkins/workspace/api/zap/session/:/onp -u root -p 2375:2375 -d owasp/zap2docker-stable zap.sh -daemon -port 2375 -host 127.0.0.1 -config api.disablekey=true -config scanner.attackOnStart=true -config view.mode=attack -config connection.dnsTtlSuccessfulQueries=-1 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true)

docker exec $CONTAINER_ID zap-cli -p 2375 status -t 120

docker exec $CONTAINER_ID zap-cli -p 2375 -v session load /onp/onp-dev-subset-new.session

docker exec $CONTAINER_ID zap-cli -p 2375 -v spider --context-name onp

docker exec $CONTAINER_ID zap-cli -p 2375 -v active-scan -r -c onp

spider and active-scan fails with the following error.Console logs show this,

[INFO] ZAP is running
[DEBUG] Loading session from "/onp/onp-dev-subset-new.session"
Usage: zap-cli spider [OPTIONS] URL

Error: Missing argument "url".None
Usage: zap-cli active-scan [OPTIONS] URL

Error: Missing argument "url".None
[INFO] Issues found: 0

I'm using the docker image to run my test.

I actually try to run zap on a site protected by csrf token and authentication so I had to create a Zest script in order to do the authentication, which I exported to a context to be used in zap-cli.

When I try to import context or script both fail.

zap@3c87f7e346b2:/zap$ zap-cli -v scripts load -n test -t Authentication -e 'Zest : Mozilla Zest' -f '/zap/work/test.zst'

[DEBUG] Loading script "test" from "/zap/work/test.zst"
[ERROR] Error loading script: Does Not Exist

zap@3c87f7e346b2:/zap$ file /zap/work/test.zst /zap/work/test.zst: UTF-8 Unicode text, with very long lines

And when i'm trying to import the context (I assume it fails because it cannot find the script ?)

zap@3c87f7e346b2:/zap$ zap-cli context import /zap/work/test.context

[ERROR] Importing context from file failed: The external data provided is not valid.

zap@3c87f7e346b2:/zap$ file /zap/work/test.context /zap/work/test.context: XML 1.0 document, UTF-8 Unicode text

I'm kinda trap. I don't really know what do to. Any idea ? 😄

Hi,

I am trying to configure zap-cli in my windows 10 machine.
Steps :

• Configured ZAP_PATH, ZAP_PORT, ZAP_URL in environment variable
• Cloned git project
• Installed python3.6.4 and set python in environment variable. Can run python anywhere using windows prompt
• Installed pip
• ran pip install --upgrade zapcli command
• Entering zap-cli in windows cmd:

C:\>zap-cli
Usage: zap-cli [OPTIONS] COMMAND [ARGS]...

  ZAP CLI v0.9.0 - A simple commandline tool for OWASP ZAP.

Options:
  --boring            Remove color from console output.
  -v, --verbose       Add more verbose debugging output.
  --zap-path TEXT     Path to the ZAP daemon. Defaults to /zap or the value of
                      the environment variable ZAP_PATH.
  -p, --port INTEGER  Port of the ZAP proxy. Defaults to 8090 or the value of
                      the environment variable ZAP_PORT.
  --zap-url TEXT      The URL of the ZAP proxy. Defaults to http://127.0.0.1
                      or the value of the environment variable ZAP_URL.
  --api-key TEXT      The API key for using the ZAP API if required. Defaults
                      to the value of the environment variable ZAP_API_KEY.
  --help              Show this message and exit.

Commands:
  active-scan  Run an Active Scan.
  ajax-spider  Run the AJAX Spider against a URL.
  alerts       Show alerts at the given alert level.
  context      Manage contexts for the current session.
  exclude      Exclude a pattern from all scanners.
  open-url     Open a URL using the ZAP proxy.
  policies     Enable or list a set of policies.
  quick-scan   Run a quick scan.
  report       Generate XML or HTML report.
  scanners     Enable, disable, or list a set of scanners.
  scripts      Manage scripts.
  session      Manage sessions.
  shutdown     Shutdown the ZAP daemon.
  spider       Run the spider against a URL.
  start        Start the ZAP daemon.
  status       Check if ZAP is running.

• But when I run the below command, I am getting error. Please let me know if anything is required

C:\>zap-cli quick-scan --self-contained --spider -r -s xss http://demo.testfire.net
�[1m�[36m[INFO]            �[0mStarting ZAP daemon
�[1m�[33m[WARNING]         �[0mZAP is already running on port 8090
�[1m�[36m[INFO]            �[0mRunning a quick scan for http://demo.testfire.net
Traceback (most recent call last):
  File "C:\python36\lib\site-packages\requests\packages\urllib3\connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "C:\python36\lib\site-packages\requests\packages\urllib3\connectionpool.py", line 386, in _make_request
    six.raise_from(e, None)
  File "<string>", line 2, in raise_from
  File "C:\python36\lib\site-packages\requests\packages\urllib3\connectionpool.py", line 382, in _make_request
    httplib_response = conn.getresponse()
  File "C:\python36\lib\http\client.py", line 1331, in getresponse
    response.begin()
  File "C:\python36\lib\http\client.py", line 297, in begin
    version, status, reason = self._read_status()
  File "C:\python36\lib\http\client.py", line 266, in _read_status
    raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\python36\lib\site-packages\requests\adapters.py", line 423, in send
    timeout=timeout
  File "C:\python36\lib\site-packages\requests\packages\urllib3\connectionpool.py", line 649, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "C:\python36\lib\site-packages\requests\packages\urllib3\util\retry.py", line 376, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
requests.packages.urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='127.0.0.1', port=8090): Max retries exceeded with url: http://zap/JSON/ascan/action/disableAllScanners/?apikey= (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response',)))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\python36\Scripts\zap-cli-script.py", line 11, in <module>
    load_entry_point('zapcli==0.9.0', 'console_scripts', 'zap-cli')()
  File "C:\python36\lib\site-packages\click\core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "C:\python36\lib\site-packages\click\core.py", line 644, in main
    rv = self.invoke(ctx)
  File "C:\python36\lib\site-packages\click\core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "C:\python36\lib\site-packages\click\core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "C:\python36\lib\site-packages\click\core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "C:\python36\lib\site-packages\click\decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "C:\python36\lib\site-packages\click\core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "C:\python36\lib\site-packages\zapcli\cli.py", line 217, in quick_scan
    zap_helper.set_enabled_scanners(options['scanners'])
  File "C:\python36\lib\site-packages\zapcli\zap_helper.py", line 310, in set_enabled_scanners
    self.zap.ascan.disable_all_scanners(apikey=self.api_key)
  File "C:\python36\lib\site-packages\zapv2\ascan.py", line 284, in disable_all_scanners
    return six.next(six.itervalues(self.zap._request(self.zap.base + 'ascan/action/disableAllScanners/', params)))
  File "C:\python36\lib\site-packages\zapv2\__init__.py", line 159, in _request
    data = self._request_api(url, get)
  File "C:\python36\lib\site-packages\zapv2\__init__.py", line 149, in _request_api
    return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
  File "C:\python36\lib\site-packages\requests\sessions.py", line 501, in get
    return self.request('GET', url, **kwargs)
  File "C:\python36\lib\site-packages\requests\sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\python36\lib\site-packages\requests\sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "C:\python36\lib\site-packages\requests\adapters.py", line 485, in send
    raise ProxyError(e, request=request)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8090): Max retries exceeded with url: http://zap/JSON/ascan/action/disableAllScanners/?apikey= (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response',)))

[INFO] Starting ZAP daemon
Traceback (most recent call last):
File "/home/ifs/.local/bin/zap-cli", line 11, in
sys.exit(cli())
File "/home/ifs/.local/lib/python2.7/site-packages/click/core.py", line 664, in call
return self.main(*args, **kwargs)
File "/home/ifs/.local/lib/python2.7/site-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/home/ifs/.local/lib/python2.7/site-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/ifs/.local/lib/python2.7/site-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/ifs/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/home/ifs/.local/lib/python2.7/site-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
File "/home/ifs/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/home/ifs/.local/lib/python2.7/site-packages/zapcli/cli.py", line 55, in start_zap_daemon
zap_helper.start(options=start_options)
File "/home/ifs/.local/lib/python2.7/site-packages/zapcli/zap_helper.py", line 84, in start
with open(log_path, 'w+') as log_file:
IOError: [Errno 13] Permission denied: u'/usr/local/zaproxy/zap.log'
ifs@nthubuntu:~$ IOError: [Errno 13] Permission denied: u'/usr/local/zaproxy/zap.log'
IOError:: command not found

Just wondering what I am doing wrong.
Many thanks

Thanks for sharing wonderful work. It is really easy to use the tool.
Trying to use ZAP-CLI so that can control OWASP ZAP tool through command line and integrate with Bamboo pipeline. I can see 'alert' results are different when run from command line using zap-cli and ZAP UI.

1. Run below command in linux system from command line zap-cli -p 8080 --zap-path /home/ubuntu/ZAP_2.6.0 quick-scan -s xss,sqli --spider -r http://xxxxx.com
2. ZAP UI from windows machine: when run http://xxxxx.com from quick attack can get below alerts a. x-frame options headers not set, secure flag not set, http only tag is not set and all whereas from zap-cli getting no issues found.

Also please share more info on the below:
a. what other options can be set as argument as -s xss, sqli and all.
b. can authentication be performed using zap-cli (our application has login screen - oauth implemention)

The same has been asked on stackoverflow:
http://stackoverflow.com/questions/43587793/zap-cli-alert-results-are-different-when-run-using-zap-cli-and-zap-ui-zap-ui-g

Great work. Please guide.

I have been able to use zap-cli in the official owasp zap docker container. With a preconfigured context for login against a sample target site (juiceshop for example) the spider does not stop.

Is it possible to provide a max depth (the ZAP UI supports this) or perhaps provide a max time?

Thanks

Hey
The zap baseline scan has the ability to process zap alerts, and return status code based on the alert. This could be useful when using zap as part of CI flow, so you can configure the alert that important to you and then fail the build if they found. I think it might be nice to add it as a command to the CLI, so I can use it also in another flow that are not baseline quick scan, for example, after running zap proxy and scan manually.

What do you think?

I failed to run zap-cli despite an installation from source

I try all the examples in the documentation unsuccessfully error
sample error

zap-cli --api-key 12345 quick-scan --self-contained -o '-config api.key=12345' -s xss http://127.0.0.1/
[INFO] Starting ZAP daemon
Traceback (most recent call last):
File "/usr/local/bin/zap-cli", line 9, in
load_entry_point('zapcli==0.2.1', 'console_scripts', 'zap-cli')()
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in call
return self.main(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, *_ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
return callback(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
return callback(_args, *_kwargs)
File "build/bdist.linux-i686/egg/zapcli/cli.py", line 246, in quick_scan
File "build/bdist.linux-i686/egg/zapcli/zap_helper.py", line 77, in start
IOError: [Errno 2] No such file or directory: u'/zap/zap.log'

zap-cli start --start-options '-config api.key=12345'
[INFO] Starting ZAP daemon
Traceback (most recent call last):
File "/usr/local/bin/zap-cli", line 9, in
load_entry_point('zapcli==0.2.1', 'console_scripts', 'zap-cli')()
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in call
return self.main(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, *_ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
return callback(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
return callback(_args, *_kwargs)
File "build/bdist.linux-i686/egg/zapcli/cli.py", line 102, in start_zap_daemon
File "build/bdist.linux-i686/egg/zapcli/zap_helper.py", line 77, in start
IOError: [Errno 2] No such file or directory: u'/zap/zap.log'

Hello,

I am trying to use zap-cli and I am running into this issue upon attempting to start the process. "ZAP was not found in the path "/zap". You can set the path to where ZAP is installed on your system using the --zap-path command line parameter or by default using the ZAP_PATH environment variable."

I have ZAP_PATH environment variable set to where ZAP proxy is installed in both User and System variables and I'm still getting that error.

Hello,

I created the context file from a template. The template file is attached (renamed .xml) The zap-cli commands directly below are executed and a positive response is shown [INFO], no errors. The zap log shows many lines as follows:

[ZAP-ActiveScanner-1] INFO User - Authenticating user: test

The "context credentials name" is test. And the credentials are provided as well with 64bit encoding.

The zap commands executed are:
zap-cli context import /zap/wrk/$APP_CONTEXT_FILE
zap-cli open-url "$APP_URL"
zap-cli exclude "$LOGOUT_APP_URL"
zap-cli spider --context-name "$APP_CONTEXT_NAME" --user-name "$CONTEXT_CREDENTIALS_NAME" "$APP_URL"
zap-cli ajax-spider "$APP_URL"
zap-cli quick-scan -l Informational -s all -r -c "$APP_CONTEXT_NAME" -u "$CONTEXT_CREDENTIALS_NAME" "$APP_URL"

Is there something wrong from zap-cli point of view here?
Please let me know.

redactedZap.log

template.txt

ZAP was started : zap-cli --zap-path /opt/ZAP_2.7.0/ -p 8090 --api-key 12345 start
I tried to import my context , but firstly I got:
[ERROR] Importing context from file failed: Internal Error
After that I got:
[ERROR] Importing context from file failed: The external data provided is not valid.

My context uses script auth. How can I create script for zap-cli ?

Hey *,

is there a way to exclude a URL from the alerts or mark it as a false positive?

What I've done so far is:

• zap-cli exclude "$URL" ( where $URL is the complete url )
• zap-cli exclude "$REG" ( where $REG is a regex that matches the exact payload )
• zap-cli quick-scan -s xss -r -e "$URL" $APP
• zap-cli quick-scan -s xss - r -e "$REG" $APP

unfortunately, none of those seems to work.
I can't provide more details on which url I'm scanning since it is work related, but the payload that zap-cli outputs is: ?query=%3Balert%281%29%3B which decoded is ?query=;alert(1);

Cheers,
Marvin

I lunch the same command like you : zap-cli quick-scan --self-contained --spider -r -s xss http://....

I defined environment variables ZAP_PATH and ZAP_PORT. But I have error python like this :

I scan VM with DVWA

Hi.
I'm having trouble running zap-cli on my Ubuntu.

My zap.sh is in the /usr/loacl/bin directory.

$ sudo find / -name "zap.sh"
/opt/zaproxy/zap.sh
/usr/local/bin/zap.sh

So, I worked as follows.
First of all, I installed zap-cli as shown here.

$ sudo pip install --upgrade zapcli
The directory '/home/dakkarkey/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/dakkarkey/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting zapcli
Requirement already up-to-date: python-owasp-zap-v2.4==0.0.14 in /home/dakkarkey/.local/lib/python2.7/site-packages (from zapcli)
Requirement already up-to-date: six==1.10.0 in /home/dakkarkey/.local/lib/python2.7/site-packages (from zapcli)
Requirement already up-to-date: click==4.0 in /home/dakkarkey/.local/lib/python2.7/site-packages (from zapcli)
Requirement already up-to-date: termcolor==1.1.0 in /home/dakkarkey/.local/lib/python2.7/site-packages (from zapcli)
Requirement already up-to-date: tabulate==0.7.5 in /home/dakkarkey/.local/lib/python2.7/site-packages (from zapcli)
Requirement already up-to-date: requests==2.20.1 in /home/dakkarkey/.local/lib/python2.7/site-packages (from zapcli)
Requirement already up-to-date: idna<2.8,>=2.5 in /home/dakkarkey/.local/lib/python2.7/site-packages (from requests==2.20.1->zapcli)
Requirement already up-to-date: urllib3<1.25,>=1.21.1 in /home/dakkarkey/.local/lib/python2.7/site-packages (from requests==2.20.1->zapcli)
Requirement already up-to-date: certifi>=2017.4.17 in /home/dakkarkey/.local/lib/python2.7/site-packages (from requests==2.20.1->zapcli)
Requirement already up-to-date: chardet<3.1.0,>=3.0.2 in /home/dakkarkey/.local/lib/python2.7/site-packages (from requests==2.20.1->zapcli)
Installing collected packages: zapcli
Successfully installed zapcli-0.10.0

And I checked the status of zap-cli.
Since I have already run this before writing this article, I get a message "ZAP is already running on port 8081".

$ sudo zap-cli --zap-path /usr/local/bin --port 8081 start
[INFO]            Starting ZAP daemon
[WARNING]         ZAP is already running on port 8081

However, when I execute the command below, an error occurs.
I do not know what is wrong. What did I do wrong?
I need your help. Please answer me.

$ sudo zap-cli --zap-path /usr/local/bin --port 8081 quick-scan -s xss,sqli --spider -r -e "some text" http://172.30.1.15
[INFO]            Running a quick scan for http://172.30.1.15
Traceback (most recent call last):
  File "/usr/local/bin/zap-cli", line 11, in <module>
    sys.exit(cli())
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 225, in quick_scan
    zap_helper.set_enabled_scanners(options['scanners'])
  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 314, in set_enabled_scanners
    self.zap.ascan.disable_all_scanners()
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/zapv2/ascan.py", line 284, in disable_all_scanners
    return six.next(six.itervalues(self.zap._request(self.zap.base + 'ascan/action/disableAllScanners/', params)))
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/zapv2/__init__.py", line 159, in _request
    data = self._request_api(url, get)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/zapv2/__init__.py", line 149, in _request_api
    return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/requests/sessions.py", line 546, in get
    return self.request('GET', url, **kwargs)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/dakkarkey/.local/lib/python2.7/site-packages/requests/adapters.py", line 498, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

Scanning works perfectly, but when I try to create a report after scan into xml or html it gives me a python error.

I am trying to script the zap-cli that it wil scan automaticlly and give me an xml report which I can inject into my html page every day to monitor the page.

zap-cli report
Traceback (most recent call last):
File "/usr/local/bin/zap-cli", line 11, in
sys.exit(cli())
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 265, in report
zap_helper.xml_report(output)
File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 399, in xml_report
report = self.zap.core.xmlreport(apikey=self.api_key)
File "/usr/local/lib/python2.7/dist-packages/zapv2/core.py", line 432, in xmlreport
return (self.zap._request_other(self.zap.base_other + 'core/other/xmlreport/', {'apikey': apikey}))
File "/usr/local/lib/python2.7/dist-packages/zapv2/init.py", line 170, in _request_other
data = self._request_api(url, get)
File "/usr/local/lib/python2.7/dist-packages/zapv2/init.py", line 149, in _request_api
return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 473, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

Hi
i have an error when run this command:
root@kali:/home/zap-cli/zapcli# zap-cli /usr/bin/zaproxy start
[INFO] Starting ZAP daemon
[ERROR] ZAP was not found in the path "/usr/bin". You can set the path to where ZAP is installed on your system using the --zap-path command line parameter or by default using the ZAP_PATH environment variable.

please help me

self.zap.spider.status() returns "Does Not Exist" but run_spider() tries to convert it to int()

$ python -m pdb /usr/local/bin/zap-cli spider http://127.0.0.1:10080/
> /usr/local/bin/zap-cli(4)<module>()
-> import re
(Pdb) c
[INFO]            Running spider...
Traceback (most recent call last):
  File "/usr/lib/python2.7/pdb.py", line 1314, in main
    pdb._runscript(mainpyfile)
  File "/usr/lib/python2.7/pdb.py", line 1233, in _runscript    self.run(statement)
  File "/usr/lib/python2.7/bdb.py", line 400, in run
    exec cmd in globals, locals
  File "<string>", line 1, in <module>
  File "/usr/local/bin/zap-cli", line 4, in <module>
    import re
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 160, in spider_url
    zap_helper.run_spider(url)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 131, in run_spider
    while int(self.zap.spider.status()) < 100:
ValueError: invalid literal for int() with base 10: 'Does Not Exist'
Uncaught exception. Entering post mortem debugging
Running 'cont' or 'step' will restart the program
> /usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py(131)run_spider()
-> while int(self.zap.spider.status()) < 100:
(Pdb) p self.zap.spider.status()
u'Does Not Exist'

When I'm running zap-cli everething seems fine. The tool tells me that it found 0 issues.

docker run -i owasp/zap2docker-stable zap-cli quick-scan -s all --self-contained --start-options '-config api.disablekey=true' https://www.leankoala.com

When running the GUI tool there are a lot of warnings, e.g. directory browsing or x-frame-options header not set.

Can you help me to find my misconfiguration?

Verbose:

[DEBUG]           Starting ZAP process with command: /zap/zap.sh -daemon -port 8080 -config api.disablekey=true.
[DEBUG]           Logging to /zap/zap.log
[DEBUG]           ZAP started successfully.
[INFO]            Running a quick scan for https://www.leankoala.com
[DEBUG]           Disabling all current scanners
[DEBUG]           Enabling all scanners
[DEBUG]           Scanning target https://www.leankoala.com...
[DEBUG]           Started scan with ID 0...
[DEBUG]           Scan progress %: 0
[DEBUG]           Scan progress %: 5
[DEBUG]           Scan progress %: 70
[DEBUG]           Scan #0 completed
[INFO]            Issues found: 0
[INFO]            Shutting down ZAP daemon
[DEBUG]           Shutting down ZAP.
[DEBUG]           ZAP shutdown successfully.

From looking at the code, it seems like the former does everything the latter does, albeit with more options. Any reason to keep the latter around? If so, any interest in adding a bit of clarification to the README/--help output?

/cc @DavidEBest

Hi, I have exported a context with owasp zap, and the file exported is an XML file.

When looking at the error given by zap-cli, it appears to be a JSON error, have contexts from zap-ui ever been JSON? Or am I expected to encode it into JSON?

zap@Ghost3:/zap/raygun$ zap-cli context import auth.context 
Traceback (most recent call last):
  File "/usr/local/bin/zap-cli", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/commands/context.py", line 104, in context_import
    zap_helper.import_context(file_path)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 454, in import_context
    result = self.zap.context.import_context(file_path, apikey=self.api_key)
  File "/usr/local/lib/python2.7/dist-packages/zapv2/context.py", line 108, in import_context
    return six.next(six.itervalues(self.zap._request(self.zap.base + 'context/action/importContext/', {'contextFile': contextfile, 'apikey': apikey})))
  File "/usr/local/lib/python2.7/dist-packages/zapv2/__init__.py", line 160, in _request
    return data.json()
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 866, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/lib/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

I want to spider and scan the webpage after authentication (form-based). It's working on the ZAP GUI but not working with zap-cli in the command line. I was able to login and authenticate using context but that's it. As soon as I run the spider or active scan after authentication, it's not working. Kindly Help.

I'm attempting to use zap-cli to connect to a url other than localhost, and I'm attempting to do so by using the command zap-cli start -o "-host $LOCAL_PROXY -config api.key=30690" where LOCAL_PROXY is a valid IP address to connect to. When I attempt this, zap-cli times out and tells me it failed to connect, and then running zap-cli status tells me that ZAP is not running.

However if I check zap.log,the last printed message is that ZAP is now listening on the port and url I want it to listen to. This happens whether my ZAP_URL environment variable is localhost or the url I want to listen to. Additionally, if I set ZAP_URL to my desired URL, I get back WARN org.zaproxy.zap.extension.api.API - Request to API URL http://172.25.0.6:8085/ from 172.25.0.6 not permitted which means that localhost is probably the better one to use as my environment variable for this purpose.

Additionally, if I set ZAP_URL to my desired URL and don't set a host argument, it times out, then if I check zap.log the printed message is that I'm now listening on localhost and my specified port. Zap-cli starts fine if I supply no host argument and have my ZAP_URL be localhost or I have both arguments as localhost. From all this I'm guessing that the check that the zap daemon is running isn't handled properly with hosts other than localhost, maybe it's checking from a zap process on the wrong address.

My problem I thing stems from having a login URL that is different than the URL I need to scan.
In the GUI application of ZAP I can execute a spider or a scan against all the URLs in the context.

I start ZAP in daemon
/zap.sh -config api.key=12345 -port 8090 -daemon &

import my context
zap-cli -p 8090 --api-key 12345 context import /path/to/my.context

Then I attempt to spider
Say I had the following two URLs in my context
https://my.login.url/login
https://my.scan.url/whatsup/*
The GUI app would login for me (after I setup the user) at the login URL and then walk all the pages in "https://my.scan.url/whatsup/*" using the context as a guide.

With zap-cli I can do the following successfully, but it only goes after the login URL and does not proceed onto the rest of the context:
zap-cli -p 8090 --api-key 12345 spider -c my_awesome_context -u [email protected] https://my.login.url/login

when I try to do:
zap-cli -p 8090 --api-key 12345 spider -c my_awesome_context -u [email protected] https://my.scan.url/whatsup/
or
zap-cli -p 8090 --api-key 12345 spider -c my_awesome_context -u [email protected] https://my.scan.url/whatsup/*

I get
[INFO] Running spider...
1062599 [ZAP-SpiderInitThread-1] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: my_awesome_context at Wed May 16 16:37:23 EDT 2018
1062600 [ZAP-SpiderInitThread-1] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
1062611 [ZAP-SpiderInitThread-1] INFO org.zaproxy.zap.spider.Spider - Starting spider...
1062611 [ZAP-SpiderInitThread-1] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: [email protected]
1064919 [ZAP-SpiderThreadPool-1-thread-2] ERROR io.swagger.parser.SwaggerCompatConverter - failed to read resource listing
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'var': was expecting ('true', 'false' or 'null')
at [Source: /tmp/openapi12718607691477304505.defn; line: 1, column: 5]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1702)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:558)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3528)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2686)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:878)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:772)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3850)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3799)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2447)
at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:189)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:116)
at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:107)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:99)
at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:74)
at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:55)
at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:393)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:259)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:187)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:844)
1065169 [ZAP-SpiderThreadPool-1-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
1065170 [ZAP-SpiderShutdownThread-1] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true

It is not readily apparent how I can initiate a scan or a spider that uses all URLs in the context provided and maintain a login as I do with the GUI application.

How can I initiate a scan or spider against the whole context?

facing below error while running zap-cli even define the port but still refusing the connection anything im missing here ? below is the error

Traceback (most recent call last):
  File "/usr/local/bin/zap-cli", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/cli.py", line 102, in open_url
    zap_helper.open_url(url)
  File "/usr/local/lib/python2.7/dist-packages/zapcli/zap_helper.py", line 132, in open_url
    self.zap.urlopen(url)
  File "/usr/local/lib/python2.7/dist-packages/zapv2/__init__.py", line 124, in urlopen
    return requests.get(url, proxies=self.__proxies, verify=False, *args, **kwargs).text
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 485, in send
    raise ProxyError(e, request=request)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8030): Max retries exceeded with url: http://testhtml5.vulnweb.com/ (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7f119c1e2b50>: Failed to establish a new connection: [Errno 111] Connection refused',)))```

C:\Python27>python.exe Scripts\zap-cli-script.py shutdown
←[1m←[36m[INFO] ←[0mShutting down ZAP daemon
Traceback (most recent call last):
File "Scripts\zap-cli-script.py", line 11, in
load_entry_point('zapcli==0.9.0', 'console_scripts', 'zap-cli')()
File "C:\Python27\lib\site-packages\click\core.py", line 664, in call
return self.main(*args, **kwargs)
File "C:\Python27\lib\site-packages\click\core.py", line 644, in main
rv = self.invoke(ctx)
File "C:\Python27\lib\site-packages\click\core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "C:\Python27\lib\site-packages\click\core.py", line 837, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "C:\Python27\lib\site-packages\click\core.py", line 464, in invoke
return callback(*args, **kwargs)
File "C:\Python27\lib\site-packages\click\decorators.py", line 26, in new_func

return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)

File "C:\Python27\lib\site-packages\click\core.py", line 464, in invoke
return callback(*args, **kwargs)
File "C:\Python27\lib\site-packages\zapcli\cli.py", line 64, in shutdown_zap_d
aemon
zap_helper.shutdown()
File "C:\Python27\lib\site-packages\zapcli\zap_helper.py", line 100, in shutdo
wn
self.zap.core.shutdown(apikey=self.api_key)
File "C:\Python27\lib\site-packages\zapv2\core.py", line 239, in shutdown
return six.next(six.itervalues(self.zap.request(self.zap.base + 'core/actio
n/shutdown/', {'apikey': apikey})))
File "C:\Python27\lib\site-packages\zapv2_init.py", line 159, in _request
data = self.request_api(url, get)
File "C:\Python27\lib\site-packages\zapv2_init.py", line 149, in request
api
return self.session.get(url, params=query, proxies=self.__proxies, verify=Fa
lse)
File "C:\Python27\lib\site-packages\requests\sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "C:\Python27\lib\site-packages\requests\sessions.py", line 488, in reques
t
resp = self.send(prep, **send_kwargs)
File "C:\Python27\lib\site-packages\requests\sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "C:\Python27\lib\site-packages\requests\adapters.py", line 473, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",
))

Zap-cli has been showing some odd behavior when I to view the results thus far of a passive scan. I set zap-cli to passive scan on url 127.0.0.1 and port 8080, and then had firefox proxy through this but when I run zap-cli zap-cli alerts -l Low -f json it returns empty brackets. When I run zap-cli report -o report.xml it returns a file like this:

<?xml version="1.0"?><OWASPZAPReport version="2.7.0" generated="Wed, 6 Jun 2018 17:59:43"> <site name="http://example.com" host="example.com" port="80" ssl="false"><alerts></alerts></site><site name="http://ocsp.digicert.com" host="ocsp.digicert.com" port="80" ssl="false"><alerts></alerts></site><site name="http://pagead2.googlesyndication.com" host="pagead2.googlesyndication.com" port="80" ssl="false"><alerts></alerts></site><site name="http://platform.twitter.com" host="platform.twitter.com" port="80" ssl="false"><alerts></alerts></site><site name="http://m.addthisedge.com" host="m.addthisedge.com" port="80" ssl="false"><alerts></alerts></site><site name="http://m.addthis.com" host="m.addthis.com" port="80" ssl="false"><alerts></alerts></site><site name="http://randomcolour.com" host="randomcolour.com" port="80" ssl="false"><alerts></alerts></site><site name="http://www.theuselessweb.com" host="www.theuselessweb.com" port="80" ssl="false"><alerts></alerts></site><site name="http://s7.addthis.com" host="s7.addthis.com" port="80" ssl="false"><alerts></alerts></site><site name="http://www.ismycomputeron.com" host="www.ismycomputeron.com" port="80" ssl="false"><alerts></alerts></site><site name="http://redscientist.com" host="redscientist.com" port="80" ssl="false"><alerts></alerts></site></OWASPZAPReport>

All the websites I've been visiting are listed, but no vulnerabilities.

What's even more odd is that I've tried troubleshooting this and I've gotten the correct output from alerts but only after a significant amount of time. In one case I used the alerts and reports function (but nothing else) a few times for a half an hour and they weren't returning what I wanted them to. I then left my computer for another half an hour and came back and then ran the alerts command I mentioned earlier. It gave the passive scan results I wanted on all the websites I had visited in the hour I had it open the first time I ran it. The data for the vulnerabilities is definitely there but something seems to be holding it up, and I'm not sure what it is or how I'm eventually getting the report I want other than waiting long enough. Active scan and quick scan results are added to the report immediately, but passive scan results seem to be held up by something or sometimes not display at all.

Using zap-cli but not able to generate report in html format. Zap-cli not accepting the arguments may be there is some mistake

zap-cli --zap-path zap.sh --api-key 12345 quick-scan -l Informational --self-contained -o '-config api.key=12345' --spider http://testhtml5.vulnweb.com/ report -o /report.html -f html

suggestions needed.

This doesn't match my understanding of Unix error code conventions. Usually an error code means something went wrong, not the tool functioned as usual. If anything, I've seen tools throw an error code when they didn't find anything (grep, pgrep, pkill).

Any other opinions?

It could be nice to have a docker image with Zap cli installed - something like what I created in zaproxy/zaproxy#4091.

I run an spider attack on our website then saved sessions. If i'm not mistaken, saved sessions stores the URLs that were attack previously. Is it possible to do another spider attack using the loaded saved session? How?

thank you for your reply and work
I updated with git and zap zap-cli and reinstall everything
I still encounter errors

zap-cli --zap-path /usr/local/bin/ --api-key 12345 quick-scan --self-contained -o '-config api.key=12345' -s xss http://127.0.0.1/
[INFO] Starting ZAP daemon
[ERROR] ZAP was not found in the path "/usr/local/bin/". You can set the path to where ZAP is installed on your system using the --zap-path command line parameter or by default using the ZAP_PATH environment variable.

zap-cli --api-key 12345 quick-scan --self-contained -o '-config api.key=12345' -s xss http://127.0.0.1/
[INFO] Starting ZAP daemon
[ERROR] ZAP was not found in the path "/zap". You can set the path to where ZAP is installed on your system using the --zap-path command line parameter or by default using the ZAP_PATH environment variable.

root@fakessh:~# ls -alih /usr/local/bin/zap*
38016989 -rwxr-xr-x 1 root staff 214 mai 31 16:24 /usr/local/bin/zap
38020954 -rwxr-xr-x 1 root staff 298 mai 31 15:23 /usr/local/bin/zap-cli

there are still errors that prevented the operation

With a custom session cookie, I'm not able to tell the spider to crawl properly even with a user set in a context that authenticates via form.

I tried logging in to the web app using the browser and set the session cookie as active session then the spider was able to crawl properly.

Is there a way to set it via zap-cli?

 Commands:
   active-scan  Run an Active Scan.
   ajax-spider  Run the AJAX Spider against a URL.
   alerts       Show alerts at the given alert level.
   context      Manage contexts for the current session.
   exclude      Exclude a pattern from all scanners.
   open-url     Open a URL using the ZAP proxy.
   policies     Enable or list a set of policies.
   quick-scan   Run a quick scan.
   report       Generate XML or HTML report.
   scanners     Enable, disable, or list a set of scanners.
   scripts      Manage scripts.
   session      Manage sessions.
   shutdown     Shutdown the ZAP daemon.
   spider       Run the spider against a URL.
   start        Start the ZAP daemon.
   status       Check if ZAP is running.

I don't see it in the list of commands.

zapv2 python has it,

zap.httpsessions.set_active_session(url, session, apikey)

First and foremost - thanks for this simply elegant and flexible tool, @Grunny! I'm only now really starting to dig in, with (hopefully) most of my systems and infra work out of the way...

https://blog.mozilla.org/webqa/2016/06/28/dockerized-owasp-zap-security-scanning-in-jenkins-part-two/
https://blog.mozilla.org/webqa/2016/07/07/tough-lessons-learned-from-integrating-docker-zap-cli-and-jenkins/

It'd be really great if there were an easy/easier way to ensure that the ZAP client -- through its API -- were ready to begin other commands; such as at least the 1st, "open-url".

stephendonner/docker-zap#1 mentions a script workaround, but also points to a commit on May 9th in the "develop" branch - perhaps that can be incorporated?

zaproxy/zaproxy@1049e1d

I'm using cent OS
started ZAP using below
zap-cli start
Imported context file. [ i recorded few url using zap [windows with GUI Export to context].
after that i imported into cent os non gui
using below command i imported
zap-cli context import /root/XXX/XXX.context
after that i used below command to scan it
zap-cli quick-scan -s all https://demo.com/

It is navigating to other link except the one which i gave. please help me to resolve it. i want to scan few url's using ZAP-CLI on Centos

if i where wrong please let me know alternate steps also

Hello!

I'm trying use zap-cli to scan our application and I succeed to do it on URL which using GET method.
However, I met a problem on scanning POST request, since the parameters were not included in the URL, and what I want to check is whether there is any security in those parameters.
(In GUI the parameters are also recorded in the tree so that active-scan works)

May I know whether there is anyway to deal with POST requests?

Environment: Amazon Linux 64bit

Installed zap-cli via pip.
Set ZAP_PATH=/opt/zap (this is where zap.sh and the zap jars are)

# At the command line
$: zap-cli

Traceback (most recent call last):
  File "/usr/local/bin/zap-cli", line 9, in <module>
    load_entry_point('zapcli==0.1.1', 'console_scripts', 'zap-cli')()
  File "/usr/lib/python2.6/dist-packages/pkg_resources/__init__.py", line 521, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.6/dist-packages/pkg_resources/__init__.py", line 2632, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.6/dist-packages/pkg_resources/__init__.py", line 2312, in load
    return self.resolve()
  File "/usr/lib/python2.6/dist-packages/pkg_resources/__init__.py", line 2318, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python2.6/site-packages/zapcli/cli.py", line 14, in <module>
    from zapcli.log import console
  File "/usr/local/lib/python2.6/site-packages/zapcli/log.py", line 60, in <module>
    console = logging.getLogger('zap')
  File "/usr/lib64/python2.6/logging/__init__.py", line 1427, in getLogger
    return Logger.manager.getLogger(name)
  File "/usr/lib64/python2.6/logging/__init__.py", line 951, in getLogger
    rv = _loggerClass(name)
  File "/usr/local/lib/python2.6/site-packages/zapcli/log.py", line 51, in __init__
    super(ConsoleLogger, self).__init__(name)
TypeError: super() argument 1 must be type, not classobj

Also did a: pip install logging
Just in case that was an issue.

Still same error. Would be awesome if I could get this working :)

I get an error when trying to run an active scan:

zap-cli scanners list
+-------+--------------------------------------------+-------------+-----------+------------+
| ID | Name | Policy ID | Enabled | Strength |
+=======+============================================+
+-------+--------------------------------------------+-------------+-----------+------------+
| 40018 | SQL Injection | 4 | true | DEFAULT |
+-------+--------------------------------------------+-------------+-----------+------------+

$ zap-cli -v active-scan -s 40018 "http://example.com"
[INFO] Running an active scan...
[DEBUG] Disabling all current scanners
[DEBUG] Enabling scanners with IDs 40018
[DEBUG] Scanning target http://example.com...
Traceback (most recent call last):
File "/usr/local/bin/zap-cli", line 9, in
load_entry_point('zapcli==0.1.1', 'console_scripts', 'zap-cli')()
File "/Library/Python/2.7/site-packages/click/core.py", line 664, in call
return self.main(_args, *_kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Library/Python/2.7/site-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, *_ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 464, in invoke
return callback(_args, *_kwargs)
File "/Library/Python/2.7/site-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], *_kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 464, in invoke
return callback(_args, *_kwargs)
File "/Library/Python/2.7/site-packages/zapcli/cli.py", line 179, in active_scan
zap_helper.run_active_scan(url, recursive=recursive)
File "/Library/Python/2.7/site-packages/zapcli/zap_helper.py", line 146, in run_active_scan
while int(self.zap.ascan.status()) < 100:
ValueError: invalid literal for int() with base 10: 'Does Not Exist'