glue icon indicating copy to clipboard operation
glue copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Glue Does Not Send Api Key to Zap In Header

Open tdshipley opened this issue 5 years ago • 11 comments

Hey,

Summary

Trying to use the Glue task for ZAP as the next stage in my security testing pipeline however I am coming across an issue which seems to kill it.

Issue Found

Glue sends the API key to Zap as an HTTP query parameter instead of in the header which it expects. This causes Zap to throw an error like this:

Provided parameter has illegal or unrecognized value (illegal_parameter) : &apikey=myapikey&contextName=b67b6ff7-de5b-4094-9cd6-0983cd21ec9c
	at org.zaproxy.zap.extension.api.API.getParams(Unknown Source)
	at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
	at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:748)

Reproduction Steps

Assuming you have Zap version 2.6.0 running in api mode you can recreate this issue using:

docker run -i owasp/glue:raw-latest bin/glue -a my-api --target https://mytarget.net -t zap --zap-host http://0.0.0.0 --zap-port 8090 --zap-api-token myapikey

Which will cause a log output of:

Loading scanner...
Logfile nil?
calling scan
Running scanner
Mounting https://mytarget.net with #<Glue::URLMounter:0x0000564b7ece0160>
Mounted https://mytarget.net with #<Glue::URLMounter:0x0000564b7ece0160>
Processing target...https://mytarget.net
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file
Running tasks in stage: code
Running tasks in stage: live
live - Zap - #<Set:0x0000564b7f95a850>

Running tasks in stage: done
Running base report...

Running ZAP on: https://mytarget.net from http://0.0.0.0:8090 with b67b6ff7-de5b-4094-9cd6-0983cd21ec9c

At this stage, the process dies due to the request sent to Zap including the Zap API Key in HTTP query param instead of the header.

Docker Image Versions Used

Zap: owasp/zap2docker-bare:2.6.0 Glue: owasp/glue:raw-latest

If there is any more info I can provide to help figure the issue out let me know.

tdshipley avatar Mar 27 '19 18:03 tdshipley

Is this something that changed on zap side? I think this is something that worked in the past. @psiinon maybe you know?

Anyway, I will recommend using the dynamic task instead. An alternative will be to contribute a PR...

omerlh avatar Mar 28 '19 10:03 omerlh

Cool, I was just thinking about a PR! I will see how I get on with a dynamic task and let you know. Also, do you know if the Zap API supports scanning APIs using a Swagger file? I know the docker image itself does when running the python scripts but I haven't seen anything in the API to support it so far..

tdshipley avatar Mar 28 '19 11:03 tdshipley

So for example with the Zap Docker image I can do something like:

/zap/zap-api-scan.py -t security/swagger-spec.json -f openapi

Where -t is the target defined as a swagger spec and -f is the format defined as openapi.

And Zap will use the swagger spec to traverse and test my API. I can't find an equivlant in the Zap API but maybe there is one...

tdshipley avatar Mar 28 '19 11:03 tdshipley

I'm not sure - but that the power of the dynamic task: Run zap however you like, export the report and parse it with Glue...

omerlh avatar Mar 28 '19 11:03 omerlh

Ok will give it a go then and report back - thanks 👍

tdshipley avatar Mar 28 '19 11:03 tdshipley

@omerlh related to what and since when? :)

psiinon avatar Mar 28 '19 13:03 psiinon

Sorry :) Regarding:

Glue sends the API key to Zap as an HTTP query parameter instead of in the header which it expects.

Since when Zap expects the API key in query param? Or does it never worked with Glue?

omerlh avatar Mar 28 '19 13:03 omerlh

You should be able to use either a "apikey" query param or the X-ZAP-API-Key header.

psiinon avatar Mar 28 '19 17:03 psiinon

Hey @omerlh - so the dynamic task worked as suggested thanks but I have hit another issue. The JIRA reporter assumes that issues should be raised as a bug issue type. The project I am working on does not have this issue type (instead having defect and story) so it fails to report the issues.

I can't see any way to pass in an override to the issue type to set to something else. Should I create a PR to add support for this?

tdshipley avatar Mar 29 '19 12:03 tdshipley

Yes please, can you file a different issue for that? I would recommend adding an option for the the issue type.

omerlh avatar Mar 31 '19 04:03 omerlh

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar May 30 '19 05:05 stale[bot]