zaproxy: Could not connect ZAP in remote API

Describe the bug

The request is locked when try to execute the method scan of api.spider.

To Reproduce 1 - Create a remote Linux machine visible from localhost. We’re supposing it is on 10.152.165.2. 2 - ping 10.152.165.2 to grant the connectivity. 3 - In this machine, execute the following docker command to install zap in a container and run it.

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true

4 - From localhost, execute the curl command:

curl -X GET "http://10.157.152.184:8080/xml/spider/action/scan/?url=https%3A%2F%2Fteperamenttest--selestrim.repl.co&"

5 - In your localhost (a different machine from which ZAP is installed), implement the following Snippet class:

public class SimpleExample {
             //The next line contains the data where ZAP is installed and running.
             private static final String ZAP_ADDRESS = "10.152.165.2";
             private static final int ZAP_PORT = 8080;
             private static final String ZAP_API_KEY = null; // My api was configured 

             private static final String TARGET = "https://teperamenttest--selestrim.repl.co";

             public static void main(String[] args) {
                          ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

                          try {
                                       System.out.println("Spider : " + TARGET);
                                       ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
                          } catch (Exception e) {
                                       System.out.println("Exception : " + e.getMessage());
                                       e.printStackTrace();
                          }
             }
}

6 - Run it.

Problem Timeout. Connection never executes neither close alone. Zap ClientApi could not execute any method.

Expected behavior We expect the scanner starting.

Screenshot Not allowed.

Software versions

  • ZAP on the server: 2.6
  • ZAP Client Api: 1.6.0
  • OS: Windows 10
  • Java: 1.8.0_171
  • Browser: irrelevant

Errors from the zap.log file Any exception was thrown.

Additional context In the green line, we are creating the api as expected without any issues. We are calling the following constructor as expected:

public ClientApi(String zapAddress, int zapPort, String apiKey, boolean debug) {
                          proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(zapAddress, zapPort));
                          this.debug = debug;
                          this.zapAddress = zapAddress;
                          this.zapPort = zapPort;
                          this.apiKey = apiKey;
             }

Where zapAddres is 10.152.165.2 and port 8080.

So, we continue debugging until the red line. In this line, we are calling scan() method which calls api.callApi("spider", "action", "scan", map);, which by their time calls buildZapRequest() method, which has the following line:

sb.append("http://zap/");

Which defines zap hardcoded as the name of solved IP of zapAddres.

Question 1: Where in the code http://zap/ is being proxy to http://10.152.165.2:8080?

Once HttpRequest was built, the api open the connection with zap by the proxy and connect with uc.connect(). Therefore, the next line should test the connection, and here is where the code stay locked forever:

(...)
if (uc.getResponseCode() >= HttpURLConnection.HTTP_BAD_REQUEST) {
                                       return uc.getErrorStream();
                          }

This is the ClientApi.java@Line:359, in the method getConnectionInputStream(HttpRequest request). In this method, the generated request url in HttpRequest is: http://zap/xml/spider/action/scan/?url=https%3A%2F%2Fteperamenttest--selestrim.repl.co&

If I run the following command:

 curl -X GET "http://10.152.165.2:8080/xml/spider/action/scan/?url=https%3A%2F%2Fteperamenttest--selestrim.repl.co&"

We obtain as answer the expected:

 <?xml version="1.0" encoding="UTF-8" standalone="no"?><scan>0</scan>

But, running by the ZAP Api the code stay locked as you can see here in the following values: When in line ClientApi.java@L361:

=> if (uc.getResponseCode() >= HttpURLConnection.HTTP_BAD_REQUEST) {
            return uc.getErrorStream();
        }

We have request -> requestUri -> host = zap. The value which was set in the buildZapRequest method.

And then, I run the line is locking the code… exactly when I try to execute the command uc.getResponseCode().

And here are the values on proxy…

proxy -> sa -> holder -> addr -> holder -> address == 168496141 proxy -> sa -> hostname == null proxy -> sa -> port ==8080

Could you help us on that?

Here is a thread I was talking about it with Mr. @kingthorin (it is a pleasure talk with you guys about code! hehe), the co-lead. Which were not fixed for this issue.

https://github.com/zaproxy/zaproxy/issues/4750

Mr. @psiinon could you help us on that too?

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Comments: 17 (9 by maintainers)

Most upvoted comments

Why are you curl’ing against 184 when the docker is on 2? (Or is docker actually on 184?)

When the docker image is up and running what do you get when you simply browse (without proxying) to localhost:8080 on the host system?

+1
kingthorin on May 29, 2019
Read more comments on GitHub
← zaproxy: Browser View add-on fails to build with aarch64
zaproxy: Docker container stable OR weekly do not create reports →