Reputation: 17553
I am trying to automate owasp zap for scanning project to identify security vulnerability as per below article:
https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html
I am getting error in below line of code :-
zap.spider.scan(target)
Script source :-
https://github.com/zaproxy/zaproxy/wiki/ApiPython
Code I am using :-
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
# Here the target is defined and an instance of ZAP is created.
target = 'http://google.com/'
zap = ZAPv2()
# Use the line below if ZAP is not listening on 8090.
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'})
# ZAP starts accessing the target.
print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)
# The spider starts crawling the website for URLs
print 'Spidering target %s' % target
zap.spider.scan(target)
# Progress of spider
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
print 'Spider progress %: ' + zap.spider.status
time.sleep(400)
print 'Spider completed'
# Give the passive scanner a chance to finish
time.sleep(5)
# The active scanning starts
print 'Scanning target %s' % target
zap.ascan.scan(target)
while (int(zap.ascan.status) < 100):
print 'Scan progress %: ' + zap.ascan.status
time.sleep(600)
print 'Scan completed'
# Report the results
print 'Hosts: ' + ', '.join(zap.core.hosts)
print 'Alerts: '
pprint(zap.core.alerts())
Error I am getting :-
root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing target http://google.com/ Spidering target http://google.com/ Traceback (most recent call last): File "website-scan.py", line 21, in zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File "build/bdist.linux-x86_64/egg/zapv2/init.py", line 158, in _request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/init.py", line 516, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in decode obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Please let me know If I am missing anything
Upvotes: 1
Views: 3312
Reputation: 6186
http://google.com/ will redirect to something like https://google.com/ so you'll need to use that instead.
BTW, do you actually have permission to attack google.com?
What version of ZAP are you using, and how are you starting it?
As of ZAP 2.6.0 by default you will need to use an API key and can only connect from localhost. The script on the page you linked to has been updated to use an API key (https://github.com/zaproxy/zaproxy/wiki/ApiPython)
If you dont want to use an API key, or need to connect from a remote machine then see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQapikey
Upvotes: 3