Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Glue Does Not Send Api Key to Zap In Header #154

Open
tdshipley opened this issue Mar 27, 2019 · 11 comments
Open

Glue Does Not Send Api Key to Zap In Header #154

tdshipley opened this issue Mar 27, 2019 · 11 comments
Labels
stale

Comments

@tdshipley
Copy link
Contributor

tdshipley commented Mar 27, 2019
edited
Loading

Hey,

Summary

Trying to use the Glue task for ZAP as the next stage in my security testing pipeline however I am coming across an issue which seems to kill it.

Issue Found

Glue sends the API key to Zap as an HTTP query parameter instead of in the header which it expects. This causes Zap to throw an error like this:

Provided parameter has illegal or unrecognized value (illegal_parameter) : &apikey=myapikey&contextName=b67b6ff7-de5b-4094-9cd6-0983cd21ec9c
	at org.zaproxy.zap.extension.api.API.getParams(Unknown Source)
	at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
	at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:748)

Reproduction Steps

Assuming you have Zap version 2.6.0 running in api mode you can recreate this issue using:

docker run -i owasp/glue:raw-latest bin/glue -a my-api --target https://mytarget.net -t zap --zap-host http://0.0.0.0 --zap-port 8090 --zap-api-token myapikey

Which will cause a log output of:

Loading scanner...
Logfile nil?
calling scan
Running scanner
Mounting https://mytarget.net with #<Glue::URLMounter:0x0000564b7ece0160>
Mounted https://mytarget.net with #<Glue::URLMounter:0x0000564b7ece0160>
Processing target...https://mytarget.net
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file
Running tasks in stage: code
Running tasks in stage: live
live - Zap - #<Set:0x0000564b7f95a850>

Running tasks in stage: done
Running base report...

Running ZAP on: https://mytarget.net from http://0.0.0.0:8090 with b67b6ff7-de5b-4094-9cd6-0983cd21ec9c

At this stage, the process dies due to the request sent to Zap including the Zap API Key in HTTP query param instead of the header.

Docker Image Versions Used

Zap: owasp/zap2docker-bare:2.6.0
Glue: owasp/glue:raw-latest

If there is any more info I can provide to help figure the issue out let me know.
@omerlh
Copy link
Collaborator

omerlh commented Mar 28, 2019
edited
Loading

Is this something that changed on zap side? I think this is something that worked in the past. @psiinon maybe you know?

Anyway, I will recommend using the dynamic task instead. An alternative will be to contribute a PR...

@tdshipley
Copy link
Contributor Author

tdshipley commented Mar 28, 2019
edited
Loading

Cool, I was just thinking about a PR! I will see how I get on with a dynamic task and let you know. Also, do you know if the Zap API supports scanning APIs using a Swagger file? I know the docker image itself does when running the python scripts but I haven't seen anything in the API to support it so far..

@tdshipley
Copy link
Contributor Author

tdshipley commented Mar 28, 2019
edited
Loading

So for example with the Zap Docker image I can do something like:

/zap/zap-api-scan.py -t security/swagger-spec.json -f openapi

Where -t is the target defined as a swagger spec and -f is the format defined as openapi.

And Zap will use the swagger spec to traverse and test my API. I can't find an equivlant in the Zap API but maybe there is one...

@omerlh
Copy link
Collaborator

omerlh commented Mar 28, 2019

I'm not sure - but that the power of the dynamic task: Run zap however you like, export the report and parse it with Glue...

@tdshipley
Copy link
Contributor Author

Ok will give it a go then and report back - thanks 👍

@psiinon
Copy link
Member

psiinon commented Mar 28, 2019

@omerlh related to what and since when? :)

@omerlh
Copy link
Collaborator

omerlh commented Mar 28, 2019
edited
Loading

Sorry :) Regarding:

Glue sends the API key to Zap as an HTTP query parameter instead of in the header which it expects.

Since when Zap expects the API key in query param? Or does it never worked with Glue?

@psiinon
Copy link
Member

psiinon commented Mar 28, 2019

You should be able to use either a "apikey" query param or the X-ZAP-API-Key header.

@tdshipley
Copy link
Contributor Author

Hey @omerlh - so the dynamic task worked as suggested thanks but I have hit another issue. The JIRA reporter assumes that issues should be raised as a bug issue type. The project I am working on does not have this issue type (instead having defect and story) so it fails to report the issues.

I can't see any way to pass in an override to the issue type to set to something else. Should I create a PR to add support for this?

@omerlh
Copy link
Collaborator

omerlh commented Mar 31, 2019

Yes please, can you file a different issue for that? I would recommend adding an option for the the issue type.

@stale
Copy link

stale bot commented May 30, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label May 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@psiinon @tdshipley @omerlh