zap-cli icon indicating copy to clipboard operation
zap-cli copied to clipboard
verified publisher icon Grunny

zap-cli does not allow attacking an https site

Open maxg68 opened this issue 5 years ago • 0 comments

Describe the bug zap-cli does not allow attacking an https site

To Reproduce Steps to reproduce the behavior:

  1. zapcli-0.10.0]# zap-cli open-url https://10.10.10.10 [INFO] Accessing URL https://10.10.10.10 Traceback (most recent call last): File "/usr/local/bin/zap-cli", line 11, in load_entry_point('zapcli==0.10.0', 'console_scripts', 'zap-cli')() File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 664, in call return self.main(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 644, in main rv = self.invoke(ctx) File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 991, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 837, in invoke return ctx.invoke(self.callback, **ctx.params) File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 464, in invoke return callback(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/decorators.py", line 26, in new_func return ctx.invoke(f, ctx.obj, *args[1:], **kwargs) File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 464, in invoke return callback(*args, **kwargs) File "build/bdist.linux-x86_64/egg/zapcli/cli.py", line 105, in open_url File "build/bdist.linux-x86_64/egg/zapcli/zap_helper.py", line 136, in open_url File "build/bdist.linux-x86_64/egg/zapv2/init.py", line 124, in urlopen File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/api.py", line 75, in get return request('get', url, params=params, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/api.py", line 60, in request return session.request(method=method, url=url, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/sessions.py", line 533, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL] EC lib (_ssl.c:727)'),))

  2. See SSLError in log File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL] EC lib (_ssl.c:727)'),))

Expected behavior I expect zap-cli to be able to perform an attack to https site, as done with OWASP-ZAP gui

Screenshots

Software versions

  • ZAP: zapcli-0.10.0
  • OS: Red Hat Enterprise Linux Server release 6.5 (Santiago) Linux linuxsrv2 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
  • Java: java version "1.8.0_152" Java(TM) SE Runtime Environment (build 1.8.0_152-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode)
  • Python-2.7.17

Errors from the zap.log file See previous log

Additional context

Would you like to help fix this issue?

maxg68 avatar Apr 16 '21 14:04 maxg68