如何使用OWASP ZAP的spiderViewStatus Java API来获取Spider完成工作的状态/百分比?

huangapple go评论84阅读模式
英文:

How to use the spiderViewStatus Java API of OWASP ZAP to get the status/percentage of work done by the Spider?

问题

以下是您提供的内容的翻译:

我正在遵循 [使用 Spider](https://www.zaproxy.org/docs/api/#using-spider) 的 API 文档。基于 Java 的代码块效果很好,我获得了输出。

- 代码:

    import java.util.List;

    import org.zaproxy.clientapi.core.ApiResponse;
    import org.zaproxy.clientapi.core.ApiResponseElement;
    import org.zaproxy.clientapi.core.ApiResponseList;
    import org.zaproxy.clientapi.core.ClientApi;

    public class SpiderViewStatus {

        private static final String ZAP_ADDRESS = "localhost";
        private static final int ZAP_PORT = 8080;
        // 根据 ZAP 中设置的 API 密钥进行更改,如果 API 密钥已禁用,则使用 NULL
        private static final String ZAP_API_KEY = "93tpvc1c5ek2b94arh0e7c8he";
        // 要测试的应用程序的 URL
        private static final String TARGET = "https://public-firing-range.appspot.com";
        //private static final String TARGET = "http://localhost:3000"; //Juice Shop

        public static void main(String[] args) {
            ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

            try {
                // 开始对目标进行爬行
                System.out.println("Spidering target : " + TARGET);
                ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
                String scanID;
                int progress;

                // 扫描返回一个扫描 ID 以支持并发扫描
                scanID = ((ApiResponseElement) resp).getValue();
                // 轮询状态直到完成
                while (true) {
                    Thread.sleep(1000);
                    progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
                    System.out.println("Spider progress : " + progress + "%");
                    if (progress >= 100) {
                        break;
                    }
                }
                System.out.println("Spider completed");
                // 如有必要,对爬虫结果进行后处理
                List<ApiResponse> spiderResults = ((ApiResponseList)
                api.spider.results(scanID)).getItems();
                for (ApiResponse spiderResult : spiderResults)
                    System.out.println(spiderResult);

                // TODO: 使用 Ajax Spider 进一步探索应用程序,或开始扫描应用程序以查找漏洞

            } catch (Exception e) {
                System.out.println("Exception : " + e.getMessage());
                e.printStackTrace();
            }
        }
    }

- 输出:

    Spidering target : https://public-firing-range.appspot.com
    Spider progress : 0%
    Spider progress : 66%
    Spider progress : 100%
    Spider completed
    https://public-firing-range.appspot.com/sitemap.xml
    https://public-firing-range.appspot.com/robots.txt
    https://public-firing-range.appspot.com


在“查看状态”部分中,还提到要执行 [status API](https://www.zaproxy.org/docs/api/#spiderviewstatus) 来获取 Spider 完成的工作状态/百分比。然而,当我附加 [spiderViewStatus](https://www.zaproxy.org/docs/api/#spiderviewstatus) 的代码块:

- 代码块:

    System.out.println("Spider completed");
    // 如有必要,对爬虫结果进行后处理

    //spiderViewStatus: https://www.zaproxy.org/docs/api/#spiderviewstatus
    URL obj = new URL("http://zap/JSON/spider/view/status/");
    HttpURLConnection con = (HttpURLConnection) obj.openConnection();
    con.setRequestMethod("GET");
    int responseCode = con.getResponseCode();
    BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
    String inputLine;
    StringBuffer response = new StringBuffer();
    while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
    }
    in.close();
    System.out.println(response.toString());

    // TODO: 使用 Ajax Spider 进一步探索应用程序,或开始扫描应用程序以查找漏洞

我遇到了 `java.net.UnknownHostException: zap` 错误,如下所示:

- 错误堆栈跟踪:

    Spidering target : https://public-firing-range.appspot.com
    Spider progress : 66%
    Spider progress : 100%
    Spider completed
    Exception : zap
    java.net.UnknownHostException: zap
        at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
        at java.net.PlainSocketImpl.connect(Unknown Source)
        at java.net.SocksSocketImpl.connect(Unknown Source)
        at java.net.Socket.connect(Unknown Source)
        at java.net.Socket.connect(Unknown Source)
        at sun.net.NetworkClient.doConnect(Unknown Source)
        at sun.net.www.http.HttpClient.openServer(Unknown Source)
        at sun.net.www.http.HttpClient.openServer(Unknown Source)
        at sun.net.www.http.HttpClient.<init>(Unknown Source)
        at sun.net.www.http.HttpClient.New(Unknown Source)
        at sun.net.www.http.HttpClient.New(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at java.net.HttpURLConnection.getResponseCode(Unknown Source)
        at ZAP_tests.SpiderViewStatus.main(SpiderViewStatus.java:52)

我已尝试将 `http://zap/JSON/spider/view/status/` 替换为 `http://localhost:8080/JSON/spider/view/status/`,但仍然出现相同的错误。

有谁可以帮帮我吗?
英文:

I was following the API documentation of Using Spider. The Java based code block works great and I get an output.

  • Code:

      import java.util.List;
    
      import org.zaproxy.clientapi.core.ApiResponse;
      import org.zaproxy.clientapi.core.ApiResponseElement;
      import org.zaproxy.clientapi.core.ApiResponseList;
      import org.zaproxy.clientapi.core.ClientApi;
    
      public class SpiderViewStatus {
    
          private static final String ZAP_ADDRESS = &quot;localhost&quot;;
          private static final int ZAP_PORT = 8080;
          // Change to match the API key set in ZAP, or use NULL if the API key is disabled
          private static final String ZAP_API_KEY = &quot;93tpvc1c5ek2b94arh0e7c8he&quot;;
          // The URL of the application to be tested
          private static final String TARGET = &quot;https://public-firing-range.appspot.com&quot;;
          //private static final String TARGET = &quot;http://localhost:3000&quot;; //Juice Shop
    
          public static void main(String[] args) {
      	ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
    
      	try {
      	    // Start spidering the target
      	    System.out.println(&quot;Spidering target : &quot; + TARGET);
      	    ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
      	    String scanID;
      	    int progress;
    
      	    // The scan returns a scan id to support concurrent scanning
      	    scanID = ((ApiResponseElement) resp).getValue();
      	    // Poll the status until it completes
      	    while (true) {
      		    Thread.sleep(1000);
      		    progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
      		    System.out.println(&quot;Spider progress : &quot; + progress + &quot;%&quot;);
      		    if (progress &gt;= 100) {
      		        break;
      		    }
      	    }
      	    System.out.println(&quot;Spider completed&quot;);
      	    // If required post process the spider results
      			  List&lt;ApiResponse&gt; spiderResults = ((ApiResponseList)
      			  api.spider.results(scanID)).getItems(); for (ApiResponse
      			  spiderResult:spiderResults) System.out.println(spiderResult);
    
      	    // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
    
      	} catch (Exception e) {
      	    System.out.println(&quot;Exception : &quot; + e.getMessage());
      	    e.printStackTrace();
      	}
          }
      }
    
  • Output:

      Spidering target : https://public-firing-range.appspot.com
      Spider progress : 0%
      Spider progress : 66%
      Spider progress : 100%
      Spider completed
      https://public-firing-range.appspot.com/sitemap.xml
      https://public-firing-range.appspot.com/robots.txt
      https://public-firing-range.appspot.com
    

Within the View Status section it is also mentions to execute the status API to get the status/percentage of work done by the Spider. However when I append the code block of spiderViewStatus :

  • Code Block:

      System.out.println(&quot;Spider completed&quot;);
      // If required post process the spider results
    
      //spiderViewStatus: https://www.zaproxy.org/docs/api/#spiderviewstatus
      URL obj = new URL(&quot;http://zap/JSON/spider/view/status/&quot;);
      HttpURLConnection con = (HttpURLConnection) obj.openConnection();
      con.setRequestMethod(&quot;GET&quot;);
      int responseCode = con.getResponseCode();
      BufferedReader in = new BufferedReader(
      new InputStreamReader(con.getInputStream()));
      String inputLine;
      StringBuffer response = new StringBuffer();
      while ((inputLine = in.readLine()) != null) {
      response.append(inputLine);
      }
      in.close();
      System.out.println(response.toString());
    
      // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
    

I am facing java.net.UnknownHostException: zap as follows:

  • Error stacktrace:

      Spidering target : https://public-firing-range.appspot.com
      Spider progress : 66%
      Spider progress : 100%
      Spider completed
      Exception : zap
      java.net.UnknownHostException: zap
      	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
      	at java.net.PlainSocketImpl.connect(Unknown Source)
      	at java.net.SocksSocketImpl.connect(Unknown Source)
      	at java.net.Socket.connect(Unknown Source)
      	at java.net.Socket.connect(Unknown Source)
      	at sun.net.NetworkClient.doConnect(Unknown Source)
      	at sun.net.www.http.HttpClient.openServer(Unknown Source)
      	at sun.net.www.http.HttpClient.openServer(Unknown Source)
      	at sun.net.www.http.HttpClient.&lt;init&gt;(Unknown Source)
      	at sun.net.www.http.HttpClient.New(Unknown Source)
      	at sun.net.www.http.HttpClient.New(Unknown Source)
      	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
      	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
      	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
      	at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      	at java.net.HttpURLConnection.getResponseCode(Unknown Source)
      	at ZAP_tests.SpiderViewStatus.main(SpiderViewStatus.java:52)
    

I have tried to replace http://zap/JSON/spider/view/status/ with http://localhost:8080/JSON/spider/view/status/ still the same error.

Can anyone help me out please?

答案1

得分: 1

你已经在初始代码中使用api.spider.status(scanID)调用了那个端点。

http://zap/主机只在你通过ZAP代理时才起作用,而在你的第二段代码中似乎没有这样做。

英文:

You are already calling that endpoint in your initial code using api.spider.status(scanID)

The http://zap/ host only works if you are proxying through ZAP, which you don't appear to be in your second section of code.

huangapple
  • 本文由 发表于 2020年5月19日 21:13:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/61891946.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定