如何使用OWASP ZAP的spiderViewStatus Java API来获取Spider完成工作的状态/百分比?

huangapple
go评论112阅读模式
英文:

How to use the spiderViewStatus Java API of OWASP ZAP to get the status/percentage of work done by the Spider?

问题

以下是您提供的内容的翻译:

  1. 我正在遵循 [使用 Spider](https://www.zaproxy.org/docs/api/#using-spider) 的 API 文档。基于 Java 的代码块效果很好,我获得了输出。
  3. - 代码:
  5.     import java.util.List;
  7.     import org.zaproxy.clientapi.core.ApiResponse;
  8.     import org.zaproxy.clientapi.core.ApiResponseElement;
  9.     import org.zaproxy.clientapi.core.ApiResponseList;
  10.     import org.zaproxy.clientapi.core.ClientApi;
  12.     public class SpiderViewStatus {
  14.         private static final String ZAP_ADDRESS = "localhost";
  15.         private static final int ZAP_PORT = 8080;
  16.         // 根据 ZAP 中设置的 API 密钥进行更改,如果 API 密钥已禁用,则使用 NULL
  17.         private static final String ZAP_API_KEY = "93tpvc1c5ek2b94arh0e7c8he";
  18.         // 要测试的应用程序的 URL
  19.         private static final String TARGET = "https://public-firing-range.appspot.com";
  20.         //private static final String TARGET = "http://localhost:3000"; //Juice Shop
  22.         public static void main(String[] args) {
  23.             ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
  25.             try {
  26.                 // 开始对目标进行爬行
  27.                 System.out.println("Spidering target : " + TARGET);
  28.                 ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
  29.                 String scanID;
  30.                 int progress;
  32.                 // 扫描返回一个扫描 ID 以支持并发扫描
  33.                 scanID = ((ApiResponseElement) resp).getValue();
  34.                 // 轮询状态直到完成
  35.                 while (true) {
  36.                     Thread.sleep(1000);
  37.                     progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
  38.                     System.out.println("Spider progress : " + progress + "%");
  39.                     if (progress >= 100) {
  40.                         break;
  41.                     }
  42.                 }
  43.                 System.out.println("Spider completed");
  44.                 // 如有必要,对爬虫结果进行后处理
  45.                 List<ApiResponse> spiderResults = ((ApiResponseList)
  46.                 api.spider.results(scanID)).getItems();
  47.                 for (ApiResponse spiderResult : spiderResults)
  48.                     System.out.println(spiderResult);
  50.                 // TODO: 使用 Ajax Spider 进一步探索应用程序,或开始扫描应用程序以查找漏洞
  52.             } catch (Exception e) {
  53.                 System.out.println("Exception : " + e.getMessage());
  54.                 e.printStackTrace();
  55.             }
  56.         }
  57.     }
  59. - 输出:
  61.     Spidering target : https://public-firing-range.appspot.com
  62.     Spider progress : 0%
  63.     Spider progress : 66%
  64.     Spider progress : 100%
  65.     Spider completed
  66.     https://public-firing-range.appspot.com/sitemap.xml
  67.     https://public-firing-range.appspot.com/robots.txt
  68.     https://public-firing-range.appspot.com
  71. 在“查看状态”部分中,还提到要执行 [status API](https://www.zaproxy.org/docs/api/#spiderviewstatus) 来获取 Spider 完成的工作状态/百分比。然而,当我附加 [spiderViewStatus](https://www.zaproxy.org/docs/api/#spiderviewstatus) 的代码块:
  73. - 代码块:
  75.     System.out.println("Spider completed");
  76.     // 如有必要,对爬虫结果进行后处理
  78.     //spiderViewStatus: https://www.zaproxy.org/docs/api/#spiderviewstatus
  79.     URL obj = new URL("http://zap/JSON/spider/view/status/");
  80.     HttpURLConnection con = (HttpURLConnection) obj.openConnection();
  81.     con.setRequestMethod("GET");
  82.     int responseCode = con.getResponseCode();
  83.     BufferedReader in = new BufferedReader(
  84.     new InputStreamReader(con.getInputStream()));
  85.     String inputLine;
  86.     StringBuffer response = new StringBuffer();
  87.     while ((inputLine = in.readLine()) != null) {
  88.     response.append(inputLine);
  89.     }
  90.     in.close();
  91.     System.out.println(response.toString());
  93.     // TODO: 使用 Ajax Spider 进一步探索应用程序,或开始扫描应用程序以查找漏洞
  95. 我遇到了 `java.net.UnknownHostException: zap` 错误,如下所示:
  97. - 错误堆栈跟踪:
  99.     Spidering target : https://public-firing-range.appspot.com
  100.     Spider progress : 66%
  101.     Spider progress : 100%
  102.     Spider completed
  103.     Exception : zap
  104.     java.net.UnknownHostException: zap
  105.         at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
  106.         at java.net.PlainSocketImpl.connect(Unknown Source)
  107.         at java.net.SocksSocketImpl.connect(Unknown Source)
  108.         at java.net.Socket.connect(Unknown Source)
  109.         at java.net.Socket.connect(Unknown Source)
  110.         at sun.net.NetworkClient.doConnect(Unknown Source)
  111.         at sun.net.www.http.HttpClient.openServer(Unknown Source)
  112.         at sun.net.www.http.HttpClient.openServer(Unknown Source)
  113.         at sun.net.www.http.HttpClient.<init>(Unknown Source)
  114.         at sun.net.www.http.HttpClient.New(Unknown Source)
  115.         at sun.net.www.http.HttpClient.New(Unknown Source)
  116.         at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
  117.         at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
  118.         at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
  119.         at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
  120.         at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
  121.         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
  122.         at java.net.HttpURLConnection.getResponseCode(Unknown Source)
  123.         at ZAP_tests.SpiderViewStatus.main(SpiderViewStatus.java:52)
  125. 我已尝试将 `http://zap/JSON/spider/view/status/` 替换为 `http://localhost:8080/JSON/spider/view/status/`,但仍然出现相同的错误。
  127. 有谁可以帮帮我吗?
英文:

I was following the API documentation of Using Spider. The Java based code block works great and I get an output.

  • Code:

    1.   import java.util.List;
    3.   import org.zaproxy.clientapi.core.ApiResponse;
    4.   import org.zaproxy.clientapi.core.ApiResponseElement;
    5.   import org.zaproxy.clientapi.core.ApiResponseList;
    6.   import org.zaproxy.clientapi.core.ClientApi;
    8.   public class SpiderViewStatus {
    10.       private static final String ZAP_ADDRESS = &quot;localhost&quot;;
    11.       private static final int ZAP_PORT = 8080;
    12.       // Change to match the API key set in ZAP, or use NULL if the API key is disabled
    13.       private static final String ZAP_API_KEY = &quot;93tpvc1c5ek2b94arh0e7c8he&quot;;
    14.       // The URL of the application to be tested
    15.       private static final String TARGET = &quot;https://public-firing-range.appspot.com&quot;;
    16.       //private static final String TARGET = &quot;http://localhost:3000&quot;; //Juice Shop
    18.       public static void main(String[] args) {
    19.   	ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
    21.   	try {
    22.   	    // Start spidering the target
    23.   	    System.out.println(&quot;Spidering target : &quot; + TARGET);
    24.   	    ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
    25.   	    String scanID;
    26.   	    int progress;
    28.   	    // The scan returns a scan id to support concurrent scanning
    29.   	    scanID = ((ApiResponseElement) resp).getValue();
    30.   	    // Poll the status until it completes
    31.   	    while (true) {
    32.   		    Thread.sleep(1000);
    33.   		    progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
    34.   		    System.out.println(&quot;Spider progress : &quot; + progress + &quot;%&quot;);
    35.   		    if (progress &gt;= 100) {
    36.   		        break;
    37.   		    }
    38.   	    }
    39.   	    System.out.println(&quot;Spider completed&quot;);
    40.   	    // If required post process the spider results
    41.   			  List&lt;ApiResponse&gt; spiderResults = ((ApiResponseList)
    42.   			  api.spider.results(scanID)).getItems(); for (ApiResponse
    43.   			  spiderResult:spiderResults) System.out.println(spiderResult);
    45.   	    // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
    47.   	} catch (Exception e) {
    48.   	    System.out.println(&quot;Exception : &quot; + e.getMessage());
    49.   	    e.printStackTrace();
    50.   	}
    51.       }
    52.   }

  • Output:

    1.   Spidering target : https://public-firing-range.appspot.com
    2.   Spider progress : 0%
    3.   Spider progress : 66%
    4.   Spider progress : 100%
    5.   Spider completed
    6.   https://public-firing-range.appspot.com/sitemap.xml
    7.   https://public-firing-range.appspot.com/robots.txt
    8.   https://public-firing-range.appspot.com

Within the View Status section it is also mentions to execute the status API to get the status/percentage of work done by the Spider. However when I append the code block of spiderViewStatus :

  • Code Block:

    1.   System.out.println(&quot;Spider completed&quot;);
    2.   // If required post process the spider results
    4.   //spiderViewStatus: https://www.zaproxy.org/docs/api/#spiderviewstatus
    5.   URL obj = new URL(&quot;http://zap/JSON/spider/view/status/&quot;);
    6.   HttpURLConnection con = (HttpURLConnection) obj.openConnection();
    7.   con.setRequestMethod(&quot;GET&quot;);
    8.   int responseCode = con.getResponseCode();
    9.   BufferedReader in = new BufferedReader(
    10.   new InputStreamReader(con.getInputStream()));
    11.   String inputLine;
    12.   StringBuffer response = new StringBuffer();
    13.   while ((inputLine = in.readLine()) != null) {
    14.   response.append(inputLine);
    15.   }
    16.   in.close();
    17.   System.out.println(response.toString());
    19.   // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities

I am facing java.net.UnknownHostException: zap as follows:

  • Error stacktrace:

    1.   Spidering target : https://public-firing-range.appspot.com
    2.   Spider progress : 66%
    3.   Spider progress : 100%
    4.   Spider completed
    5.   Exception : zap
    6.   java.net.UnknownHostException: zap
    7.   	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    8.   	at java.net.PlainSocketImpl.connect(Unknown Source)
    9.   	at java.net.SocksSocketImpl.connect(Unknown Source)
    10.   	at java.net.Socket.connect(Unknown Source)
    11.   	at java.net.Socket.connect(Unknown Source)
    12.   	at sun.net.NetworkClient.doConnect(Unknown Source)
    13.   	at sun.net.www.http.HttpClient.openServer(Unknown Source)
    14.   	at sun.net.www.http.HttpClient.openServer(Unknown Source)
    15.   	at sun.net.www.http.HttpClient.&lt;init&gt;(Unknown Source)
    16.   	at sun.net.www.http.HttpClient.New(Unknown Source)
    17.   	at sun.net.www.http.HttpClient.New(Unknown Source)
    18.   	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
    19.   	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
    20.   	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
    21.   	at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
    22.   	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
    23.   	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    24.   	at java.net.HttpURLConnection.getResponseCode(Unknown Source)
    25.   	at ZAP_tests.SpiderViewStatus.main(SpiderViewStatus.java:52)

I have tried to replace http://zap/JSON/spider/view/status/ with http://localhost:8080/JSON/spider/view/status/ still the same error.

Can anyone help me out please?

答案1

得分: 1

你已经在初始代码中使用api.spider.status(scanID)调用了那个端点。

http://zap/主机只在你通过ZAP代理时才起作用,而在你的第二段代码中似乎没有这样做。

英文:

You are already calling that endpoint in your initial code using api.spider.status(scanID)

The http://zap/ host only works if you are proxying through ZAP, which you don't appear to be in your second section of code.

huangapple
  • 本文由 发表于 2020年5月19日 21:13:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/61891946.html
  • java
  • owasp
  • penetration-testing
  • security
  • zap
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定